Multiple Certs and Keys

Yick Xie yick.xie at gmail.com
Wed Jun 29 06:18:25 PDT 2016


Hello Nikos,

The openconnect client is gui v1.3, and as long as the certificate was
confirmed, no more warning would be showed. Technically it's still a
better idea to notify clearly users of potential man-in-the-middle
attacks, once the certificate mismatched the domain/IP. Morever in my
mind, some additional features are supposed to be helpful in future:
to read the server list from profile.xml and language packages.

As to AnyConnect, it seems Cisco has not yet implemented SNI feature
at present. The current policy is to allow only one certificate for
each interface. However SAN attribute is recommended to handle
multiple domains as indicated on their forum. A little pity!

Regards,
Yick

2016-06-29 15:32 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Wed, Jun 29, 2016 at 12:10 AM, Yick Xie <yick.xie at gmail.com> wrote:
>> Hello Nikos,
>>
>> As I tested the openconnect client can successfully tell them apart.
>
> That also means that in your platform the anyconnect client doesn't
> set server name indication. You can verify that by capturing traffic
> and verifying that the first handshake message contains the server
> name indication TLS extension.
>
> regards,
> Nikos



More information about the openconnect-devel mailing list