Recently implemented "Transfer-Encoding: chunked" check prevent connect into Fortigate
We use openconnect with Fortigate VPN for a few years, and we have about 3k clients. There was a recent implementation of chunk header size check in openconnect: 539265bb
This change is preventing us to connect into Fortigate, as more and more of our users are updating openconnect client. Fortigate is adding two extra space chars in the chunk headers, after the chunk size in HEX and before CR+LF as you can see in the example captured from our fortigate below:
HTTP/1.1 200 OK
Date: Thu, 11 Jan 2024 22:36:42 GMT
Transfer-Encoding: chunked
Content-Type: text/xml
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
7aeb
<?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value=................[REDACTED]
I know the check is correct, and Fortigate is not implementing correctly on their side, And they are the ones to correct the issue, by removing the extra white spaces, however we pay support and we have contacted them about this, and seems like they are more than happy this is occurring, their response was that Openconnect is not supported to work with Fortigate and they are not moving a finger to fix this issue, because now people will be forced to use their client ...
So I'm trying to ask you guys about the possibility to remove this check, or add a command line flag to ignore this check, Can I submit a MR in that direction?
Or else we will be forced to stop using openconnect and go back to that horrible Forticlient app ...
Thanks