www.infradead.org Git - users/dwmw2/openconnect.git/commit

author	Daniel Lenski <dlenski@gmail.com>
	Thu, 2 Aug 2018 19:10:45 +0000 (12:10 -0700)
committer	Daniel Lenski <dlenski@gmail.com>
	Thu, 2 Aug 2018 19:29:43 +0000 (12:29 -0700)
commit	46de5eee61127499d7401c8981dd5697307f4f12
tree	102af322b1463444ce3b161895a57242513b80e1	tree
parent	ffebb560afe5d66d5827863ebff3f8f3736cf309	commit \| diff

Reduce unnecessary connection-rebuilding for Juniper

The current oNCP (Juniper) protocol support sets "Connection: close" in all
HTTP requests. This is not ideal because it requires many TLS handshakes
and round-trips, making the connection very slow to start when the latency
of the connection to the gateway is high, especially if the number of
authentication forms and redirects is large.

Simply removing the "Connection: close" header causes the oNCP connection
to fail; the server doesn't interpret the first packet sent over the oNCP
tunnel correctly (the vestigial authentication packet).

However, it appears that the "Connection: close" header *only* needs to be
specified for this final HTTP request, and not for any of the prior ones.
The presence of this header seems to signal to the gateway that it should
stop treating this as an HTTP connection, and start treating it as an
oNCP tunnel.

Tested on two different Juniper gateways, one which returns
"NCP-Version: 2" and one which returns "NCP-Version: 3" in response to
the oNCP negotiation requests.

auth-juniper.c		diff \| blob \| history
oncp.c		diff \| blob \| history