I could have sworn that at some point this morning, that trick of turning
ESP off and then on again was working, and allowing reconnections. But I
can't reproduce that after correct amounts of coffee. I only ever see it
being turned *off*, and a log message 'Transport mode switched over to SSL
for user with NCIP 10.200.200.1', and staying off.
The server seems to default to ESP enabled if we've configured ESP, even
before the probes occur. The client has to explicitly turn it *off* with
the 'ncmo=0' packet, to fall back to TLS. And then can't turn ESP back
on again, AFAICT. This is kind of stupid, but it doesn't look like we
can do any better.
Signed-off-by: David Woodhouse <email address hidden>
Only send the ncmo=1 packet once ESP is *established*, like Juniper does.
However... this *might* break ESP completely, if the server isn't even
listening until we send ncmo=1. The Windows client does seem to send
it up front...
Signed-off-by: David Woodhouse <email address hidden>
I lifted this code to use it elsewhere and found that 'openssl dgst -verify'
didn't like the resulting signatures.
So ensure we have a definite lengh for the overall SEQUENCE and that we
don't have gratuitous zeroes at the start of each INTEGER. Even 'openssl
asn1parse' whines about the latter, calling it a :BAD INTEGER:.
I can't find any documentation which mandates DER, and I don't see the
point since there's a randomly generated salt so there's no 'canonical'
signature result anyway. But it doesn't hurt, and this matches what
GnuTLS does in 3.6.0 onwards where it *does* provide this function.
Signed-off-by: David Woodhouse <email address hidden>