-
Gareth Palmer authored
The VPN client that comes with the Cisco IP-Phone Enterprise firmware is based on AnyConnect but was unable to authenticate with ocserv. The phone makes an initial GET request and looks for a cookie named 'webvpn' that has an expiry attribute and a cookie named 'webvpnlogin' containing a non-empty value. When username+password mode is configured, the phone will then send a POST request containing those credentials. When using certificate authentication an empty POST request is sent. A handler that implements this new behaviour has been added under the '/svc' path. To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must be 443, a new 'cisco-svc-client-compat' option automatically checks those settings. New test cases test-pass-svc and test-cert-svc check the above behaviour. Older versions of the phone's firmware will fail to create the DTLS tunnel if the cipher negotiated for HTTPS does not match that selected for DTLS. To work-around this either disable DTLS or only allow the RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used. doc/README-cisco-svc.md includes additional information. Note: 'Enterprise' here is used to differentiate between that firmware and the MPP (Multi-Platform) firmware which uses the same hardware. Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>