Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized - Cisco AnyConnect external authentication (SAML) when connecting to /CSCOSSLC/tunnel (#659) · Issues · OpenConnect VPN projects / OpenConnect

Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized - Cisco AnyConnect external authentication (SAML) when connecting to /CSCOSSLC/tunnel

It looks like some of our Cisco ASA gateways were upgraded at work. Sadly, the upgrade included needing to spoof the AnyConnect user agent string to have AnyConnect in the prefix or you get a 404.... I am seeing 401s after the `--authenticate` step when trying to actually establish the connection. I tried using `mitmproxy` to see how Cisco AnyConnect client is still working but my connections are refused when I use transparent proxying with `mitmproxy`. AnyConnect client works till the auth part but I never see a request to `/CSCOSSLC/tunnel` (probably since it's a CONNECT request and mitmproxy does not support those from the client/without a reverse proxy to snoop). Without `mitmproxy`, the AnyConnect client works fine. ``` ~ via ❄️ impure (shell) took 7s ❯ [ -n ["$COOKIE"] ] && echo -n "$COOKIE" | sudo openconnect --useragent='AnyConnect Windows 4.10.06079' --dump-http-traffic --cookie-on-stdin $CONNECT_URL --servercert $FINGERPRINT --resolve $RESOLVE Place your right index finger on the fingerprint reader Ingested STRAP public key MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfrLVBFnYrsenRJJrFLzp95WTW2OEyi2sVA59xFbsz06ciJzsVe5u9Z/5otqMO3ZqHwf1GdiLNSi8Y2y2Ctwngg== Attempting to connect to server XXXXXXXXXXXXXXX:443 Connected to XXXXXXXXXXXXXXX:443 SSL negotiation with XXXXXXXXXXXXXXX Server certificate verify failed: signer not found Connected to HTTPS on XXXXXXXXXXXXXXX with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500 > CONNECT /CSCOSSLC/tunnel HTTP/1.1 > Host: XXXXXXXXXXXX > User-Agent: AnyConnect Windows 4.10.06079 > Cookie: webvpn=<omitted> > X-CSTP-Version: 1 > X-CSTP-Hostname: BINARY-EATER-DEV > X-AnyConnect-STRAP-Verify: MEUCIHhFKl/l4qIazsfGZ/y4u+HE85/qhwA9uKnjYL+LebaVAiEAl/mkG6nbwr2NcHoEt+608ae0ArtoG4elynrecpyyHSY= > X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfrLVBFnYrsenRJJrFLzp95WTW2OEyi2sVA59xFbsz06ciJzsVe5u9Z/5otqMO3ZqHwf1GdiLNSi8Y2y2Ctwngg== > X-CSTP-Accept-Encoding: lzs > X-CSTP-Base-MTU: 1500 > X-CSTP-MTU: 1390 > X-CSTP-Address-Type: IPv6,IPv4 > X-CSTP-Full-IPv6-Capability: true > X-DTLS-Master-Secret: <omitted> > X-DTLS-CipherSuite: PSK-NEGOTIATE:OC-DTLS1_2-AES256-GCM:OC2-DTLS1_2-CHACHA20-POLY1305:OC-DTLS1_2-AES128-GCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA > X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA > X-DTLS-Accept-Encoding: lzs > Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized Creating SSL connection failed Cookie was rejected by server; exiting. ```

issue