On Tue, Apr 16, 2019 at 1:20 PM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > Hi. > > SonicWall SMA is an SSL/DTLS based VPN. Is it feasible to add support > > for it to openconnect, since it might be similar to Cisco AnyConnect > > and Pulse solutions? > > > Yeah, shouldn't be that hard. Stick a MITM proxy between client and server > so we can see what happens over the SSL connection, and we can take it > from there. A few more thoughts… 1. When MITM'ing a VPN protocol, it's very likely that you find that the official client/server send and verify their TLS certificates in some way outside the normal TLS handshake mechanism. For example, Juniper NC protocol server send an MD5 hash of their own certificates to the official client, which will abruptly terminate the connection if it's being run through a MITM proxy, which of course replaces the certificate. In order to work around this, you'll need to write a script for mitmproxy to find the hash of the "real" server cert and replace it with the hash of the MITM cert. This is much easier to do in mitmproxy v3.0+, due to a pull-request I submitted which exposes the MITM cert to a script (https://github.com/mitmproxy/mitmproxy/pull/2018). 2. I'd suggest trying to write some kind of document or specification of the protocol (e.g. https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md) before you start writing any code. Made things much, much easier for me while working on GP support. 3. OpenConnect currently supports the three most widely-deployed SSL VPNs in the USA (AnyConnect, Juniper, and GlobalProtect, in that order) based on my attempts to survey a bunch of S&P 500 companies and university websites using what-vpn (https://github.com/dlenski/what-vpn). Microsoft SSTP and Barracuda appear to be the next most common. I wasn't able to find enough examples of SonicWall VPNs to add a reliable "sniffer" for them, but I suspect it's a fairly niche/rare VPN. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
