OS X Mavericks breaks OpenConnect with Cisco AnyConnect Secure Desktop (CSD)

Andrew Kutz sakutz at gmail.com
Wed Oct 23 17:21:18 EDT 2013


Technically Apple simply replaced the SSL engine on which libcurl depends. Unfortunately this broke the Cisco cstub binary. Below is what I reported to Cisco. I’m happy to say that the workaround I provided also allows OpenConnect to connect to AnyConnect with CSD once again. 


-~= The Problem(s)=~-

1. CSD refuses to load from within Safari because of the new sandboxing rules.
 
java(67861) deny file-write-data /Users/akutz/.cisco/hostscan/bin/cstub 

Process: java [67861]
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
Load Address: 0x106dd3000
Identifier: java
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: PluginProcess [67853]

Date/Time: 2013-10-23 13:00:43.513 -0500
OS Version: Mac OS X 10.9 (13A603)
Report Version: 8
 
2. Using Firefox (since Chrome still isn't 64-bit and compatible with Java plugins), I run into an issue seemingly related to Apple changing the SSL engine on which libcurl depends. The Cisco Secure Desktop client stub binary, cstub stud, cannot load libcurl because cstub claims libcurl doesn't support SSL because I'm betting it's trying to assert that it support openssl (which it no longer does -- by design).


 
-~= The Workaround =~-

I was able to get it to work by copying /usr/lib/libcurl.4.dylib from my wife's 10.8 system and placing it in /usr/lib on mine (after backing up the distribution copy of course).
 
I also copied /usr/bin/curl and /usr/bin/curl-config over from her system, but I don't think that was necessary since as you can see both curl binaries report the same, now working, version of libcurl:
 
[0]akutz at b3dg:.vpn$ /usr/bin/curl --version
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz 
 
[0]akutz at b3dg:.vpn$ /usr/bin/curl.dist --version
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
 
I posted the files to http://files.lostcreations.com/curl-libcurl-os-x-10.8.tgz. The MD5 checksum of the tarball is 15c79f5b061503ccc56e745761ebffbc.

-- 
-a

"I wonder if procrastinators realize that they're not putting off work, just putting it off onto other people?" 




More information about the openconnect-devel mailing list