search

adrienverge / openfortivpn

Client for PPP+TLS VPN tunnel services
GNU General Public License v3.0
2.7k stars 320 forks source link

Received bad header from gateway #689

Closed kenvdh closed 4 years ago

kenvdh commented 4 years ago

First of all: thanks for your software ! The official forticlient ssl vpn is impossible to find and get working on ubuntu 18.04LTS.

However I stumbled upon an old error: "received dab header from gateway". I tried different versions ranging from 1.6.0 up to 1.12.0, without any luck fixing this issue.

I have a working account, validated via a web vpn page, that is used to download a (windows only) vpn client

This issue had been resolved before, so I hope you can help for this one too. Don't have any info on the server side however.

Logs from the command: sudo openfortivpn -c /etc/openfortivpn/config -v (with account and server ip removed)

DEBUG: openfortivpn 1.12.0 DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=WMdMYFPnswAt1EMggzMQVa/spMMKoHiTrXfBRkFxBWqVS+jaL0RlAPHAoAi8sXahoN/JMYb150UFNEQnmwGWBxeRqej9LXcpyX5hynShXWrE23FgULnyI3i1F3XYiVMYlB7RcYAGUvuRJBtVh/5czujSzUgLxHAOSIvdlZ67jCNZibzAvRk1H2BEDKmUZTZriq+qyn5QUJTMhey3K7pZh3gZWBEW7HfaUvfaKqkA5zlbaHUmlutrMXRKfeDJlGco INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=WMdMYFPnswAt1EMggzMQVa/spMMKoHiTrXfBRkFxBWqVS+jaL0RlAPHAoAi8sXahoN/JMYb150UFNEQnmwGWBxeRqej9LXcpyX5hynShXWrE23FgULnyI3i1F3XYiVMYlB7RcYAGUvuRJBtVh/5czujSzUgLxHAOSIvdlZ67jCNZibzAvRk1H2BEDKmUZTZriq+qyn5QUJTMhey3K7pZh3gZWBEW7HfaUvfaKqkA5zlbaHUmlutrMXRKfeDJlGco INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_read thread DEBUG: ssl_write thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: Received bad header from gateway: (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4d 61 79 20 32 30 32 30 20 30 36 3a 34 37 3a 34 32 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 58 2d 43 6f 6e 74 65

(raw) HTTP/1.1 403 Forbidden. Date: Wed, 06 May 2020 06:47:42 GMT. Server: xxxxxxxx-xxxxx. Transfer-Encoding: chunked. Content-Type: text/html. X-Frame-Options: SAMEORIGIN. Content-Security-Policy: frame-ancestors 'self'. X-XSS-Protection: 1; mode=block. X-Cont INFO: Cancelling threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.

Regards, Ken.

DimitriPapadopoulos commented 4 years ago

The error message originates here: https://github.com/adrienverge/openfortivpn/blob/68c734361d7f19f9c87a3520dd16dcd5ffb7d48d/src/io.c#L448-L452

In your case the value of magic seems to be 54 50 while the expected bytes are 50 50. Additionally total is 48 54 which is way too large and totally inconsistent with the value of size (2f 31). Looks like garbage but not total garbage as the odds of getting 54 50 instead of 50 50 for magic are pretty slim.

See #575. Can you try version 1.13.3?

See also #191. This might be a misconfiguration of the FortiGate appliance.

kenvdh commented 4 years ago

The error message originates here:

https://github.com/adrienverge/openfortivpn/blob/68c734361d7f19f9c87a3520dd16dcd5ffb7d48d/src/io.c#L448-L452

In your case the value of magic seems to be 54 50 while the expected bytes are 50 50. Additionally total is 48 54 which is way too large and totally inconsistent with the value of size (2f 31). Looks like garbage but not total garbage as the odds of getting 54 50 instead of 50 50 for magic are pretty slim.

See #575. Can you try version 1.13.3?

See also #191. This might be a misconfiguration of the FortiGate appliance.

Hello @DimitriPapadopoulos , thanks for your reply.

I've tested with version 1.13.3, below is the output. It does now log a warning about an outdated fortigate.

About the other issue (191), does this mean it is a bug in the fortigate software ? Or it might be a configuration issue in that part ?

DEBUG: openfortivpn 1.13.3 DEBUG: revision unavailable DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=Kl9FU9p88xpJWVtdR6TPW/iNkCvhYl3Z6ePcp0iw4fZcHvONZS4P87q8ORzuVCkbhDi3T0iKSvWvKDiNHo1/GQ/lideuph2bl/saLjzfFnA5wGyXzFW9AzR1OGC2vdYyr5XXLoXI4k2AZF5GZIhOja39APtdPtC6GDjMOPp70SzuG3bY2eiykvorIOz6bhOj7V8zHvQCwJfkk5hUAU1uO5L6d7sFe85/snEYBN7N24K7zIAC/83Dz9CLu9e/r7wk INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=Kl9FU9p88xpJWVtdR6TPW/iNkCvhYl3Z6ePcp0iw4fZcHvONZS4P87q8ORzuVCkbhDi3T0iKSvWvKDiNHo1/GQ/lideuph2bl/saLjzfFnA5wGyXzFW9AzR1OGC2vdYyr5XXLoXI4k2AZF5GZIhOja39APtdPtC6GDjMOPp70SzuG3bY2eiykvorIOz6bhOj7V8zHvQCwJfkk5hUAU1uO5L6d7sFe85/snEYBN7N24K7zIAC/83Dz9CLu9e/r7wk INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration WARN: Configuration cannot be retrieved in XML format. This FortiGate appliance might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries. DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_write thread DEBUG: ssl_read thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: Received bad header from gateway: (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4d 61 79 20 32 30 32 30 20 30 38 3a 31 36 3a 33 37 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 58 2d 43 6f 6e 74 65

(raw) HTTP/1.1 403 Forbidden. Date: Wed, 06 May 2020 08:16:37 GMT. Server: xxxxxxxx-xxxxx. Transfer-Encoding: chunked. Content-Type: text/html. X-Frame-Options: SAMEORIGIN. Content-Security-Policy: frame-ancestors 'self'. X-XSS-Protection: 1; mode=block. X-Cont INFO: Cancelling threads... DEBUG: Error canceling safe_ssl_read_thread: No such process INFO: Cleanup, joining threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.

mrbaseman commented 4 years ago

The raw output sais HTTP/1.1 403 Forbidden. To me this looks as if your account has access to the web portal but it has not the permission to switch to tunnel mode.

The client does switch, but instead of ppp packets it receives the http error code 403 that shall tell you that you may not open the tunnel. Maybe we should catch this in the lines that @DimitriPapadopoulos has cited and print out a better error message.

FortiOS distinguishes between web access and tunnel access for the ssl vpn and it is possible to give users a shell window in the web portal, the download link for the client (which is useless, when you have no tunnel permission), bookmarks e.g. to a single sign-on page... But for using openfortivpn you need both, the web access that allows you logging in, and the tunnel access that allows you to establish the tunnel.

kenvdh commented 4 years ago

The raw output sais HTTP/1.1 403 Forbidden. To me this looks as if your account has access to the web portal but it has not the permission to switch to tunnel mode.

The client does switch, but instead of ppp packets it receives the http error code 403 that shall tell you that you may not open the tunnel. Maybe we should catch this in the lines that @DimitriPapadopoulos has cited and print out a better error message.

FortiOS distinguishes between web access and tunnel access for the ssl vpn and it is possible to give users a shell window in the web portal, the download link for the client (which is useless, when you have no tunnel permission), bookmarks e.g. to a single sign-on page... But for using openfortivpn you need both, the web access that allows you logging in, and the tunnel access that allows you to establish the tunnel.

thank you @mrbaseman , I will ask the admin of the fortigate to check my profile settings again with this extra info.

DimitriPapadopoulos commented 4 years ago

@mrbaseman Indeed this is HTTP, I should have noticed. The first line is:

48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e
H  T  T  P  /  1  .  1     4  0  3     F  o  r  b  i  d  d  e  n

I will add some code for to catch that.

@kenvdh About this warning:

WARN: Configuration cannot be retrieved in XML format. This FortiGate appliance might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries.

This might be is a side-effect of the above issue, or it might be correct. To tell the truth I'm not certain about the relevance of this warning. I expect it to appear when the VPN appliance runs FortiOS 4 which is not maintained anymore and hence vulnerable. Would you happen to know the model of the FortiGate appliance and more importantly the version of FortiOS?

kenvdh commented 4 years ago

@DimitriPapadopoulos I've asked the admin to send me details on the used fortigate software ... I hope to receive it soon, then I will update the information here. Thanks!

DimitriPapadopoulos commented 4 years ago

@kenvdh If you feel comfortable compiling openfortivpn, could you build openfortivpn out of the latest GitHub commits (including ec798eef341f2a089cf6d4c7633548b2f1032aa1) and check you see a (more) meaningful error message?

kenvdh commented 4 years ago

@DimitriPapadopoulos, sure, just finished the test with the latest code. This is the output now:

DEBUG: openfortivpn 1.13.3 DEBUG: revision unavailable DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=kRRRVxUutAz9iapodlaPEVvTQAqigtVweTkvgKiMI0zfnSsP9aSBJK5jKt1ZQBUKr793r/IICnYr+gh1+jflY4DhkCwwSu2Imbm+WwEdiXCHThKw48kl9x0nhpL3ioRF0SW7+3nMRYBd9nrb8cytKSsTS7GnLzFoIbH2Fp25OQc1SIYq4tj3A/EOBLRSR4we0q3N00Yh7oJhmleJXZ+vyA1lxxailp+CvDy1tbK4F5P+wf1EWAtDWX5FUCNb4Fiw INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=kRRRVxUutAz9iapodlaPEVvTQAqigtVweTkvgKiMI0zfnSsP9aSBJK5jKt1ZQBUKr793r/IICnYr+gh1+jflY4DhkCwwSu2Imbm+WwEdiXCHThKw48kl9x0nhpL3ioRF0SW7+3nMRYBd9nrb8cytKSsTS7GnLzFoIbH2Fp25OQc1SIYq4tj3A/EOBLRSR4we0q3N00Yh7oJhmleJXZ+vyA1lxxailp+CvDy1tbK4F5P+wf1EWAtDWX5FUCNb4Fiw INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration WARN: Configuration cannot be retrieved in XML format. This VPN-SSL portal might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries. DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_write thread DEBUG: ssl_read thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/2 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: This SSL-VPN portal does not allow tunnel mode. INFO: Cancelling threads... DEBUG: Error canceling safe_ssl_read_thread: No such process INFO: Cleanup, joining threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.

I have not received any information on the software of the fortigate from the admin so far.

kenvdh commented 4 years ago

Hello @DimitriPapadopoulos and @mrbaseman,

Thanks to your help and extra logging, the admin found a missing config part "realm" that I needed to include in the settings. So now I have an extra config value "realm = ***" and everything works.

Thank you both for the fast reaction and help ! Issue can be closed, the software works fine.

DimitriPapadopoulos commented 4 years ago

OK I'll adapt the error message accordingly then, and suggest a broader scope of reasons for the 403 HTTP error.

Any feedback on the FortiOS version? Even without telling us the exact version, do you believe this warning makes sense in your case?

WARN: Configuration cannot be retrieved in XML format. This VPN-SSL portal might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries.
kenvdh commented 4 years ago

hello @DimitriPapadopoulos,

Sorry to say I have not received any information on the FortiOS version, and they are not sharing it with me. So I can only guess this is due to an older version in use. In that case the warning makes sense.

Thanks again, and if I can test the new error messages, let me know.