Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No cookie given #1176

Open
jpahullo opened this issue Nov 29, 2023 · 2 comments
Open

No cookie given #1176

jpahullo opened this issue Nov 29, 2023 · 2 comments
Labels
need info

Comments

@jpahullo
Copy link

jpahullo commented Nov 29, 2023
edited
Loading

Hi all,

Thanks for this project and effort on providing open source solutions.

I was using it in my institution since now. Just from today I cannot login into the VPN.

The version and the trace is this:

$ openfortivpn --version
1.19.0
$ sudo openfortivpn url-vpn -u user -v
DEBUG:  openfortivpn 1.19.0
DEBUG:  revision unavailable
DEBUG:  Loaded configuration file "/etc/openfortivpn/config".
DEBUG:  Loaded password from configuration file "/etc/openfortivpn/config"
DEBUG:  Configuration host = "url-vpn"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "443"
DEBUG:  Configuration username = "user"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: ip
DEBUG:  server_port: 443
DEBUG:  gateway_addr: ip
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
DEBUG:  Empty cookie.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  No cookie given (-7)
INFO:   Closed connection to gateway.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: ip
DEBUG:  server_port: 443
DEBUG:  gateway_addr: ip
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
INFO:   Logged out.

If I add more verbosity, I can see something like:

[...]
INFO:   Connected to gateway.
DEBUG:  http_send:
[...]
DEBUG:  http_receive:
HTTP/1.1 200 OK
{HTTP headers}

1461 
<!DOCTYPE html>
{html content}
</html>


0


DEBUG:  Empty cookie.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  No cookie given (-7)
INFO:   Closed connection to gateway.
[...]

I contacted to our IT support and there is no problem from their part.

Instead, I can login to the same VPN and credentials from Windows and official client and from the web.

Is there something I missed recently?

Thanks again.

Jordi
@DimitriPapadopoulos
Copy link
Collaborator

Message DEBUG: Empty cookie originates here:

openfortivpn/src/http.c

Lines 417 to 443 in bf94c2f

int auth_set_cookie(struct tunnel *tunnel, const char *line)
{
int ret = ERR_HTTP_NO_COOKIE;
if (line) {
const char *cookie_start;
cookie_start = strstr(line, "SVPNCOOKIE=");
if (cookie_start != NULL) {
const char *cookie_end;
size_t cookie_len;
cookie_end = strpbrk(cookie_start, "\r\n;");
if (cookie_end)
cookie_len = cookie_end - cookie_start;
else
cookie_len = strlen(cookie_start);
if (cookie_len > COOKIE_SIZE) {
log_error("Cookie larger than expected: %zu > %d\n",
cookie_len, COOKIE_SIZE);
} else {
strncpy(tunnel->cookie, cookie_start, COOKIE_SIZE);
tunnel->cookie[cookie_len] = '\0';
if (tunnel->cookie[11] == '\0') {
log_debug("Empty cookie.\n");

Message Could not authenticate to gateway. Please check the password, client certificate, etc. is then printed from:

openfortivpn/src/tunnel.c

Lines 1346 to 1351 in bf94c2f

if (config->cookie)
ret = auth_set_cookie(&tunnel, config->cookie);
else
ret = auth_log_in(&tunnel);
if (ret != 1) {
log_error("Could not authenticate to gateway. Please check the password, client certificate, etc.\n");

Finally, message No cookie given (-7) associated to ERR_HTTP_NO_COOKIE originates here if I'm not mistaken:

openfortivpn/src/http.c

Lines 692 to 711 in bf94c2f

if (ret == ERR_HTTP_NO_COOKIE) {
struct vpn_config *cfg = tunnel->config;
/*
* If the response body includes a tokeninfo= parameter,
* it means the VPN gateway expects two-factor authentication.
* It sends a one-time authentication credential for example
* by email or SMS, and expects to receive it back in the
* second authentication stage. No SVPNCOOKIE will be provided
* until after the second call to /remote/logincheck.
*
* If we receive neither a tokeninfo= parameter nor an
* SVPNCOOKIE, it means our authentication attempt was
* rejected.
*/
ret = get_value_from_response(res, "tokeninfo=", token, 128);
if (ret != 1) {
// No SVPNCOOKIE and no tokeninfo, return error.
ret = ERR_HTTP_NO_COOKIE;

Unless you are willing to send the HTTP requests and answers, you should look into auth_log_in() for clues on why openfortivpn cannot extract the cookie.

Note that Windows clients are usually VPN IPSec, while Linux clients are VPN TLS.

@BrunoTeixeira1996
Copy link

I am having the exact same issue.
Using openfortivpn 1.19.0 in Linux Teixeira 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux.
Any idea why?

@DimitriPapadopoulos DimitriPapadopoulos mentioned this issue Mar 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpahullo @DimitriPapadopoulos @BrunoTeixeira1996