Post by David WoodhousePost by Guillaume Rousse~/.juniper_networks/network_connect/ncsvc \
-h beria.zarb.home \
-u rousse \
-r smi \
-f /etc/pki/tls/certs/localhost.crt
There's no -m option here. If you look in
~/.juniper_networks/network_connect/ .log you'll probably see a line
20101228160000.207947 ncsvc[p21179.t21179] dsssl.error ive_cert_hash = 6f13afc3c6815ab480b2ddc27406ba4b, computed_hash = ecb77116a55194c4dfba8e9aa0cc862e (DSSSLSock.cpp:761)
It doesn't like the self-signed cert on your "server". For the above
example log line, you want to add '-m ecb77116a55194c4dfba8e9aa0cc862e'
to your ncsvc invocation. Obviously, yours will differ from mine.
You *may* need to use the -m option with a dummy argument just to make
it give this log line; I'm not sure.
It work better now, thanks.
I tried the cut/paste gymnastic between s_server and s_client.
Client:
GET / HTTP/1.0
Host: portail.saclay.inria.fr
Accept: */*
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: DSClient; Linux
Content-length: 0
Server:
HTTP/1.1 302 Found
Location:
https://portail.saclay.inria.fr/dana-na/auth/url_default/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu,
31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/; path=/; secure
Connection: close
Client:
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0
Host: portail.saclay.inria.fr
Accept: */*
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: DSClient; Linux
Content-length: 0
Cookie: DSSIGNIN=url_default; DSSignInURL=/; DSIVS=
Server:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 25 Jan 2011 16:50:39 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: -1
<html>
[a full web page here]
</html>
Client:
ERROR
140007421920936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:338:
shutting down SSL
CONNECTION CLOSED
ACCEPT
Beyond the reason of the error, they are two suspicious issues here:
1) is it expected to have the binary acting as a web client, requesting
user-targeted web forms ? The submit action of this form triggers a
javascript function, and I don't think the binary as an embedded
javascript interpreter to work as a robot...
2) the initial client request is wrong, it should be 'GET /smi', due to
the usage of -r smi to ncsvc, not 'GET /' (the former leads to the
user-targeted service), the second to the admin-targeted service)
My setup seems to be unsufficient to correctly work as a traffic proxy.
--
BOFH excuse #138:
BNC (brain not connected)