The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
996d021e1b