Openconnect messing with cookies that ends with equals
Fortigate issues base64 encoded cookies, which means cookies could end in one or two equal signs, ex: XYZ XYZ= XYZ==
When fortigate issued cookies ends with equal signs (one or two) openconnect is not parsing the cookie correctly, ending in connection denied.
ex no equal sign success:
openconnect --protocol=fortinet --verbose --dump-http-traffic --server=https://www.infradead.org/ --cookie=XYZ | grep "Cookie:"
> Cookie: SVPNCOOKIE=XYZ
ex one equal sign error no cookie in the request:
openconnect --protocol=fortinet --verbose --dump-http-traffic --server=https://www.infradead.org/ --cookie=XYZ= | grep "Cookie:"
ex two equal signs malformed cookie in the request:
openconnect --protocol=fortinet --verbose --dump-http-traffic --server=https://www.infradead.org/ --cookie=XYZ== | grep "Cookie:"
> Cookie: XYZ==
When --cookie
parameter ends with equal signs, function internal_split_cookies
in http.c
erroneous parse the cookie as multiple cookies, which
So it's hard to connect into fortigate as it emits more cookies ending in equal signs than not ending.
Edited by Dimitri Papadopoulos Orfanos