clones/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2024-09-21 10:27:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Don't disable IPv6 for unknown client agents

Browse Source 
We are now planning to change the default HTTP user-agent string in
the OpenConnect client. In order to improve compatibility with Cisco
servers, it needs to start with `AnyConnect`; likely, the complete
prefix will be `AnyConnect-compatible OpenConnect VPN Agent`. (Details
in https://gitlab.com/openconnect/openconnect/-/merge_requests/497)

ocserv treats clients differently depending on their user-agent
strings:

1. ocserv makes simplifications/accommodations in its authentication
   flow to accommodate old versions of OpenConnect
   (`AGENT_OPENCONNECTV3`).
   https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-auth.c

2. `ocserv` entirely disables IPv6 for old versions of OpenConnect
   (`AGENT_OPENCONNECTV3`) *and* for unknown client software
   (`AGENT_UNKNOWN`).
   https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-vpn.c#L2123-2136

At this point, ocserv seems to be aware of a reasonably-complete list
of compatible client software: AnyConnect, OpenConnect, Clavister
OneConnect, AnyLink, and Cisco SVC IPPhone.

Among these, *only* old OpenConnect clients are known to require special
handling to unconditionally disable IPv6.

This patch modifies ocserv so that the IPv6 is disabled *only* for old
OpenConnect clients, and not for unknown clients. This should make the
transition to OpenConnect's modified UA string go more smoothly.

This should also improve "future-proofness" generally. Accommodations
for buggy clients should specifically list the affected clients,
rather than include unknown clients, since unknown clients are most
likely to be newer clients, in which bugs and incompatibilities may
have been fixed.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
This commit is contained in:
Daniel Lenski 2023-10-04 21:21:08 -07:00 committed by Nikos Mavrogiannopoulos
parent aaf2a53246
commit 8b8a1a7b53
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/worker-vpn.c
View File

@ -2122,16 +2122,20 @@ static int connect_handler(worker_st * ws)
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because IPv6 support was not requested.");
} else {
switch (req->user_agent_type) {
case AGENT_OPENCONNECT_V3:
req->no_ipv6 = 1;
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is known not to support them.");
break;
case AGENT_OPENCONNECT:
case AGENT_ANYCONNECT:
case AGENT_OPENCONNECT_CLAVISTER:
case AGENT_ANYLINK:
oclog(ws, LOG_DEBUG, "Enabling IPv6 routes/DNS because the agent is known to support them.");
break;
case AGENT_OPENCONNECT_V3:
case AGENT_UNKNOWN:
default:
req->no_ipv6 = 1;
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known.");
oclog(ws, LOG_NOTICE, "Enabling IPv6 routes/DNS although the agent is unknown.");
break;
}
}