Add --no-http-keepalive option to help work around Cisco incompetence.

We know that certain versions of the ASA software (8.2.2.5 at least) are
buggy and will 'forget' the client's SSL certificate by the time they
receive the second request on a re-used HTTP connection. We have an
unconditional workaround for the case where we _know_ that bug will
trip, in commit 357c85e8 ("Always close HTTP/1.0 connection...").

Cisco's support staff are completely useless and have failed to give any
competent response to the bug report -- so not only does it look like
they won't fix it, but we don't actually know what under _other_
circumstances this same bug might manifest itself.

This patch adds an option to disable _all_ connection re-use. The
intention is that users can try it out if they encounter problems, then
report to the mailing list that it worked so that we can work out how
to trigger it automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/http.c b/http.c
index 32799b5..6691a43 100644 (file)
--- a/http.c
+++ b/http.c
@@ -290,7 +290,7 @@ static int process_http_response(struct openconnect_info *vpninfo, int *result,
                }
        }
 
-       if (closeconn) {
+       if (closeconn || vpninfo->no_http_keepalive) {
                SSL_free(vpninfo->https_ssl);
                vpninfo->https_ssl = NULL;
                close(vpninfo->ssl_fd);

diff --git a/main.c b/main.c
index f2c8321..11de683 100644 (file)
--- a/main.c
+++ b/main.c
@@ -95,6 +95,7 @@ static struct option long_options[] = {
        {"disable-ipv6", 0, 0, 0x05},
        {"no-proxy", 0, 0, 0x06},
        {"libproxy", 0, 0, 0x07},
+       {"no-http-keepalive", 0, 0, 0x08},
        {NULL, 0, 0, 0},
 };
 
@@ -140,6 +141,7 @@ void usage(void)
        printf("      --disable-ipv6              Do not ask for IPv6 connectivity\n");
        printf("      --dtls-ciphers=LIST         OpenSSL ciphers to support for DTLS\n");
        printf("      --no-dtls                   Disable DTLS\n");
+       printf("      --no-http-keepalive         Disable HTTP connection re-use\n");
        printf("      --no-passwd                 Disable password/SecurID authentication\n");
        printf("      --passwd-on-stdin           Read password from standard input\n");
        printf("      --reconnect-timeout         Connection retry timeout in seconds\n");
@@ -327,6 +329,11 @@ int main(int argc, char **argv)
                        autoproxy = 1;
                        proxy = NULL;
                        break;
+               case 0x08:
+                       fprintf(stderr, "Disabling all HTTP connection re-use due to --no-http-keepalive option.\n"
+                               "If this helps, please report to <openconnect-devel@lists.infradead.org>.\n");
+                       vpninfo->no_http_keepalive = 1;
+                       break;
                case 's':
                        vpninfo->vpnc_script = optarg;
                        break;

diff --git a/openconnect.8 b/openconnect.8
index f1fbf4f..9a0c88b 100644 (file)
--- a/openconnect.8
+++ b/openconnect.8
@@ -134,6 +134,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .B --no-dtls
 ]
 [
+.B --no-http-keepalive
+]
+[
 .B --no-passwd
 ]
 [
@@ -298,6 +301,25 @@ Set OpenSSL ciphers to support for DTLS
 .B --no-dtls
 Disable DTLS
 .TP
+.B --no-http-keepalive
+Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
+the client's SSL certificate when HTTP connections are being re-used for
+multiple requests. So far, this has only been seen on the initial connection,
+where the server gives an HTTP/1.0 redirect response with an explicit
+.B Connection: Keep-Alive
+directive. OpenConnect as of v2.22 has an unconditional workaround for this,
+which is never to obey that directive after an HTTP/1.0 response.
+
+However, Cisco's support team has failed to give any competent
+response to the bug report and we don't know under what other
+circumstances their bug might manifest itself. So this option exists
+to disable ALL re-use of HTTP sessions and cause a new connection to be
+made for each request. If your server seems not to be recognising your
+certificate, try this option. If it makes a difference, please report
+this information to the
+.B openconnect-devel@lists.infradead.org
+mailing list.
+.TP
 .B --no-passwd
 Never attempt password (or SecurID) authentication
 .TP

diff --git a/openconnect.h b/openconnect.h
index 3438e78..06632c2 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -173,6 +173,7 @@ struct openconnect_info {
        char *dtls_ciphers;
        uid_t uid_csd;
        int uid_csd_given;
+       int no_http_keepalive;
 
        char *cookie;
        struct vpn_option *cookies;