invoke openconnect with originally-input server hostname rather than IP, to ensure that 'Host: ' header matches originally-input hostname (!20) · Merge requests · GNOME / NetworkManager-openconnect

Daniel Lenski requested to merge dlenski/NetworkManager-openconnect:use_resolve_to_fix_issue_46 into master Jan 25, 2021

Previously, NM-oc invoked openconnect --servercert $HASH $IP:$PORT for the connection phase. This causes problems for VPN servers implemented as name-based vhosts, where a Host: [IPv4_address] header in the HTTPS request(s) will lead to errors. See #46 (closed) for an example.

With this change, NM-oc invokes openconnect --servercert $HASH --resolve $HOSTNAME:$IP $HOSTNAME:$PORT, which ensures that the Host: header contains a real hostname wherever possible and leaves certificate handling unchanged.

Tested by @Nephyrin in #46 (comment 1015652)

UPDATE: I've also incorporated a fix for #18 here (see discussion in !14 (comment 1016563)), since it also fits in closely with the handling of the gateway string.

Edited Jan 29, 2021 by Daniel Lenski

invoke openconnect with originally-input server hostname rather than IP, to ensure that 'Host: ' header matches originally-input hostname

Merge request reports