I've tried, whenever possible not to lie to the server about the client configuration. However, there are now multiple cases where a GlobalProtect server responds with a misleading error when the `ssl-vpn/login.esp` request doesn't contain the exact, magic value of `clientos=Windows`. * https://github.com/dlenski/openconnect/issues/86 ("Assign private IP address failed" unless `clientos=Windows` in `ssl-vpn/login.esp` request) * https://github.com/dlenski/openconnect/issues/116 ("Invalid username or password" unless `clientos=Windows` in `ssl-vpn/login.esp` request) These cases are very difficult to debug because they seem to be suggesting totally unrelated errors. For reliability, this patch makes openconnect always specify `clientos=Windows` in relevant requests, regardless of the actual `vpninfo->platname`. (The `vpninfo->platname` value can still be sent in the "free-form" `os-version` field, as far as I can tell.) Signed-off-by: Daniel Lenski <dlenski at gmail.com> --- auth-globalprotect.c | 7 ++----- gpst.c | 6 +----- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index 5c4dfe7..5b2d3ec 100644 --- a/auth-globalprotect.c +++ b/auth-globalprotect.c @@ -362,11 +362,8 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, char *pw_or_ /* submit gateway login (ssl-vpn/login.esp) or portal config (global-protect/getconfig.esp) request */ buf_truncate(request_body); - buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:"); - if (!strcmp(vpninfo->platname, "win")) - append_opt(request_body, "clientos", "Windows"); - else - append_opt(request_body, "clientos", vpninfo->platname); + buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Windows"); + append_opt(request_body, "os-version", vpninfo->platname); append_opt(request_body, "server", vpninfo->hostname); append_opt(request_body, "computer", vpninfo->localname); if (vpninfo->ip_info.addr) diff --git a/gpst.c b/gpst.c index 9742fe1..b064a3e 100644 --- a/gpst.c +++ b/gpst.c @@ -590,12 +590,8 @@ static int gpst_get_config(struct openconnect_info *vpninfo) char *xml_buf=NULL; /* submit getconfig request */ - buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10"); + buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Windows"); append_opt(request_body, "os-version", vpninfo->platname); - if (!strcmp(vpninfo->platname, "win")) - append_opt(request_body, "clientos", "Windows"); - else - append_opt(request_body, "clientos", vpninfo->platname); append_opt(request_body, "hmac-algo", "sha1,md5"); append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc"); if (old_addr) { -- 2.7.4
