From 7e06e1acfb39cf805c7c41623e15ad089b496095 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 25 May 2014 18:49:29 +0200
Subject: [PATCH] Return 401 error on cookie authentication failure.

---
 src/worker-vpn.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 9b1484fb..d7e42f86 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -1375,8 +1375,15 @@ static int connect_handler(worker_st * ws)
 	ret = auth_cookie(ws, ws->cookie, ws->cookie_size);
 	if (ret < 0) {
 		oclog(ws, LOG_INFO, "failed cookie authentication attempt");
-		tls_puts(ws->session,
-			 "HTTP/1.1 503 Service Unavailable\r\n\r\n");
+		if (ret == ERR_AUTH_FAIL) {
+			tls_puts(ws->session,
+				 "HTTP/1.1 401 Unauthorized\r\n\r\n");
+			tls_puts(ws->session,
+				 "X-Reason: Cookie is not acceptable\r\n\r\n");
+		} else {
+			tls_puts(ws->session,
+				 "HTTP/1.1 503 Service Unavailable\r\n\r\n");
+		}
 		tls_fatal_close(ws->session, GNUTLS_A_ACCESS_DENIED);
 		exit_worker(ws);
 	}