# Issue Description ## Related Issues (that ultimately do not fix the problem) * #103 * #131 * #176 * !333 * #651 ## Problem Summary Many GlobalProtect VPN servers now require specific client versions (commonly 6.1.4+), but OpenConnect currently uses a hardcoded version "6.1.2-82" that fails modern server requirements. This causes connection failures with errors like: ``` Please ensure the compatible GlobalProtect version is: 6.1.4 or above ``` ## Technical Details **Current OpenConnect behavior:** - OpenConnect 9.12 (released): Reports `app-version=6.1.0` - OpenConnect master branch: Reports `app-version=6.1.2-82` - Both versions fail semantic version comparison: `6.1.2-82 < 6.1.4` **Evolving server requirements:** - Many enterprise GlobalProtect servers now enforce minimum version 6.1.4 - Some servers require higher versions (6.2.0, 6.3.0) - Different organizations may have different version requirements - Actual GlobalProtect clients are currently at version 6.3.3 **Root cause location:** The version is hardcoded in `gpst.c` * https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c#L654 * https://gitlab.com/openconnect/openconnect/-/blob/v9.12/gpst.c?ref_type=tags#L647 * https://gitlab.com/openconnect/openconnect/-/blob/v9.12/openconnect-internal.h?ref_type=tags#L415-L820 ```c append_opt(request_body, "app-version", vpninfo->csd_ticket ? : "6.1.2-82"); ``` It seems like the field was intended for something else. And, it has been repurposed for the GlobalProtect version? Maybe a name change is in order? ## Impact - Users cannot connect to modern GlobalProtect servers - Affects enterprise environments with updated VPN infrastructure - No user control over reported client version - Similar to the issue addressed in MR !131 but with evolving requirements ## Proposed Solution: User-Configurable Version Instead of simply bumping the hardcoded version (which would need periodic updates), implement user-configurable GlobalProtect app version support. This provides: 1. **Immediate compatibility** with any server requirement 2. **Future-proof design** - no need for periodic version bumps 3. **User flexibility** - different versions for different servers 4. **Backward compatibility** - sensible modern default ## Benefits of Configurable Approach - **Solves current problem**: Users can specify 6.1.4+ for modern servers - **Future-proof**: Works with any future version requirements - **User control**: Different versions for different environments - **No maintenance burden**: No need for periodic hardcoded updates - **API consistency**: Similar to existing `--client-cert`, `--user-agent` options ## Testing - Tested configurable version approach with multiple VPN servers - Confirmed versions 6.1.4, 6.3.0, and 6.3.3 resolve connection issues - No functional regressions observed with version changes - Compatible with existing authentication flows ## Related Issues - Similar to issue resolved in MR !131 (3 years ago) - Addresses ongoing need to keep pace with GlobalProtect server requirements - Provides permanent solution instead of temporary fixes - In https://github.com/yuezk/GlobalProtect-openconnect/issues/427 csd_ticket is used to store the GlobalProtect version.