Skip to content
  • Gareth Palmer's avatar
    Add support for Cisco IP-Phone Enterprise firmware VPN client. · 996d021e
    Gareth Palmer authored
    The VPN client that comes with the Cisco IP-Phone Enterprise
    firmware is based on AnyConnect but was unable to authenticate
    with ocserv.
    The phone makes an initial GET request and looks for a cookie
    named 'webvpn' that has an expiry attribute and a cookie named
    'webvpnlogin' containing a non-empty value.
    When username+password mode is configured, the phone will then
    send a POST request containing those credentials. When using
    certificate authentication an empty POST request is sent.
    A handler that implements this new behaviour has been added
    under the '/svc' path.
    To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
    be 443, a new 'cisco-svc-client-compat' option automatically
    checks those settings.
    New test cases test-pass-svc and test-cert-svc check the above
    Older versions of the phone's firmware will fail to create the
    DTLS tunnel if the cipher negotiated for HTTPS does not match
    that selected for DTLS.
    To work-ar...