~mamarley/openconnect/+git/gitlab-main:jun2pulse_hybrid_mode

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

c654c19... by Dan Lenski on 2020-05-15

encourage use of this monstrosity if Juniper auth works, but tunnel isn't supported

Signed-off-by: Daniel Lenski <email address hidden>

667129b... by Dan Lenski on 2020-05-15

workaround Juniper auth's silent redirects with retry

Signed-off-by: Daniel Lenski <email address hidden>

1932086... by Dan Lenski on 2020-05-01

add jun2pulse protocol for greater auth compatibility

This uses the older HTML-based based Juniper authentication to obtain the DSID
cookie, then attempts to initiate a *Pulse* tunnel with that authentication
cookie.

What shall we call this beautiful, beautiful hybrid protocol?

- jun2pulse ?
- nc2pulse ?
- mullet? “Juniper up front, Pulse in the back.”

Most VPNs appear to accept Juniper-style authentication even if they only
disable oNCP tunnel mode and only allow Pulse tunnel mode (see !48, aka
"error 0x08").

One limitation is that if you use an incorrect URL path or usergroup (e.g.
https://juniper.server.com/not_valid), the Juniper auth mode will silently
redirect to the “default” usergroup, but Pulse will return `404 Not Found`
on the `GET /not_valid`, `Upgrade: IF-T/TLS 1.0` request.

Signed-off-by: Daniel Lenski <email address hidden>

f24770d... by Dan Lenski on 2021-04-13

Update 'Getting Started / Connecting' docs

- Remove section on patching for DTLS support (thankfully, long-obsolete)
- Clarify meaning of "certificate" as TLS/SSL client certificate; lots of
  users appear to be confused by this
- Mention both -c and -k options
- Refer to manual for more automation of authentication
- Clarify when Jailbreak might be needed to extract certificates on
  Windows (when the private key is marked as "non-exportable")

Signed-off-by: Daniel Lenski <email address hidden>

8e15f92... by Dan Lenski on 2021-04-12

Accept IPv6 netmasks like /dead:beef::, in addition to /N

Some F5 server configurations appear to require an IPv6 netmask in this
form.

This adds a netmasklen6() function, analogous to the Legacy IP version in
netmasklen(). It also adds gcc-optimized forms, using __builtin_clz, for
both netmasklen functions.

[dwmw2: Detect __builtin_clz() with autoconf, wrap it once in cls()]
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

950bdf0... by Dan Lenski on 2021-02-12

Remove attempt_period from protocol-specific udp_setup() functions

All protocols just plunk it into vpninfo->dtls_attempt_period. Let's
just do that in the library wrapper function.

Signed-off-by: Daniel Lenski <email address hidden>

89c2e5c... by dwmw2 on 2021-04-12

Fix DTLS MTU probe timeouts

We mustn't ask for a timeout of 0ms; that means infinite.

Signed-off-by: David Woodhouse <email address hidden>

cc58696... by dwmw2 on 2021-04-12

Handle empty response buf in process_http_response()

If there is no body and the 'body' buf has never had any data in it, then
body->data can be NULL. So don't dereference it when trying to ensure a
NUL at the end.

Signed-off-by: David Woodhouse <email address hidden>

307bb09... by dwmw2 on 2021-04-13

Avoid free of argv[] when ciphersuite_config provided

This should use dup_config_arg() since it gets freed.

Signed-off-by: David Woodhouse <email address hidden>

365516b... by dwmw2 on 2021-04-13

Fix memory leak in F5 config parsing

Wouldn't this be easier in C++? Or maybe Rust?

Signed-off-by: David Woodhouse <email address hidden>