DimitriPapadopoulos
commented
3 months ago The modified code had been introduced in #464 / 320f95f and #631 / abf1a95 to add smartcard support. It is triggered only if you do not pass a password:
openfortivpn -vv **********:8443 --user-cert=cert --user-key=key --trusted-cert ****************************I don't know why cert=&nup=1 ("no user password"?) had initially been added. The pull request doesn't get into such details. My only concern is that older versions of FortiOS might require options nup=1 or cert=, while FortiOS 7.4 doesn't like then. But then, if current versions of FortiClient don't send these options, I guess this change is pretty safe.
Hi,
After I encounter an issue on my Fortigate following FortiOS upgrade from 7.2.8 to 7.4.4 (see the issue I openned: here). My investigation leads me to think that now Fortigate > 7.2.4 doesn't support any content when issuing login request on "/remote/login" and so "Content-length" must be 0. This is confirmed by the debug logs on the firewall saying
do_http_validate:447 Content-Length (11) on uri (/remote/login) not allowedand by observing Forticlient requests content on Windows using Burp proxy that have no content.So I'm proposing this pull request to fix the issue on newer Fortigate version where GET request on "/remote/login" is now sending nothing instead of "cert=&nup=1".
This has been tested on a Fortigate 500E running FortiOS 7.4.4.
BR,
A.