mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-09 16:26:59 +08:00
996d021e1b
The VPN client that comes with the Cisco IP-Phone Enterprise firmware is based on AnyConnect but was unable to authenticate with ocserv. The phone makes an initial GET request and looks for a cookie named 'webvpn' that has an expiry attribute and a cookie named 'webvpnlogin' containing a non-empty value. When username+password mode is configured, the phone will then send a POST request containing those credentials. When using certificate authentication an empty POST request is sent. A handler that implements this new behaviour has been added under the '/svc' path. To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must be 443, a new 'cisco-svc-client-compat' option automatically checks those settings. New test cases test-pass-svc and test-cert-svc check the above behaviour. Older versions of the phone's firmware will fail to create the DTLS tunnel if the cipher negotiated for HTTPS does not match that selected for DTLS. To work-around this either disable DTLS or only allow the RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used. doc/README-cisco-svc.md includes additional information. Note: 'Enterprise' here is used to differentiate between that firmware and the MPP (Multi-Platform) firmware which uses the same hardware. Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
84 lines
2.9 KiB
Bash
Executable File
84 lines
2.9 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Copyright (C) 2023 Gareth Palmer
|
|
#
|
|
# This file is part of ocserv.
|
|
#
|
|
# ocserv is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
# Free Software Foundation; either version 2 of the License, or (at
|
|
# your option) any later version.
|
|
#
|
|
# ocserv is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
SERV="${SERV:-../src/ocserv}"
|
|
srcdir=${srcdir:-.}
|
|
NO_NEED_ROOT=1
|
|
TMPFILE=test-cert-svc.$$.tmp
|
|
|
|
CRLNAME=crl.pem.$$.tmp
|
|
CRLTMPLNAME=crl.tmpl.$$.tmp
|
|
|
|
. `dirname $0`/common.sh
|
|
|
|
eval "${GETPORT}"
|
|
|
|
echo "Testing ocserv with certificates... "
|
|
|
|
rm -f "${CRLNAME}" "${CRLTMPLNAME}"
|
|
echo crl_next_update = 999 >"${CRLTMPLNAME}"
|
|
echo crl_number = 1 >>"${CRLTMPLNAME}"
|
|
|
|
certtool --generate-crl --load-ca-privkey "${srcdir}/certs/ca-key.pem" --load-ca-certificate "${srcdir}/certs/ca.pem" \
|
|
--outfile "${CRLNAME}" --template "${CRLTMPLNAME}" >/dev/null 2>&1
|
|
if test $? != 0;then
|
|
kill $PID
|
|
exit 77
|
|
fi
|
|
|
|
update_config test3.config
|
|
echo "udp-port = 0" >>${CONFIG}
|
|
echo "cisco-svc-client-compat = true" >>${CONFIG}
|
|
launch_simple_sr_server -d 1 -f -c ${CONFIG}
|
|
PID=$!
|
|
|
|
wait_server $PID
|
|
|
|
echo -n "Connecting to obtain cookie (without certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request POST --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE && fail $PID "Could connect without certificate"
|
|
echo "ok (failed as expected)"
|
|
|
|
echo -n "Connecting to obtain cookie (with invalid certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure --key "${srcdir}/certs/user-key.pem" --cert "${srcdir}/certs/user-cert-invalid.pem" https://$ADDRESS:$PORT/svc --include --request POST --output $TMPFILE ) ||
|
|
echo "" >$TMPFILE
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE && fail $PID "Could connect with invalid certificate"
|
|
echo "ok (failed as expected)"
|
|
|
|
echo -n "Connecting to obtain cookie (with certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure --key "${srcdir}/certs/user-key.pem" --cert "${srcdir}/certs/user-cert.pem" https://$ADDRESS:$PORT/svc --include --request POST --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE || fail $PID "Could not connect with certificate"
|
|
echo ok
|
|
|
|
rm -f "${CRLNAME}" "${CRLTMPLNAME}" "${TMPFILE}"
|
|
|
|
cleanup
|
|
|
|
if test $? != 0;then
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|