Centos 7 curl does not support '--pinnedpubkey' use in csd-post and csd-wrapper

Sindlinger, Randall A. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC] randall.a.sindlinger at nasa.gov
Tue Jul 28 13:38:52 EDT 2020 

Hello,

I'm trying to use openconnect under Centos 7.  I'm using the repo-supplied version of openconnect:
$ openconnect --version
OpenConnect version v8.10
Using GnuTLS 3.3.29. Features present: TPM, PKCS#11, RSA software token, HOTP software token, TOTP
software token, Yubikey OATH, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

I had used openconnect successfully on a different system, but now I am failing to connect to the
Cisco VPN.  It seems the cause is that the supplied version of curl is 7.29.0, and does not support
the --pinnedpubkey used in the csd-post.sh and csd-wrapper.sh scripts.  (I am currently trying to
use the updated csd-post script at https://gitlab.com/openconnect/openconnect/-/tree/master/trojans)

Assuming I need --pinnedpubkey support, do you know of an appropriate (Centos-7 friendly) resource
to obtain an updated curl (7.39 or higher, per https://bugzilla.redhat.com/show_bug.cgi?id=1195771)?

The only repo I've found so far is city-fan, but Centos flags it as a "Known Problem Repository":

   City-Fan will replace many core packages as configured when installed and those packages often   
   have a different structure than the CentOS ones making them difficult if not impossible to 
   remove cleanly.  Even removing packages installed from this repository may leave the system in 
   an unusable state. You've been warned.

If I need to build curl, before I go down that rabbit hole, will the --pinnedpubkey support have a
reasonable likelihood of solving my problem?

PS - I'm pointing openconnect to (I thought) the same cert Cisco Anyconnect is using, so I didn't
think I have a cert issue.  But I just tried changing the invocation to use my RSA token instead of
PIV card, and have a different set of errors, that calls the cert into question.  Perhaps this sheds
addtional light on my problem, and I've been barking up the wrong tree?  (The openconnect.conf file
is provided after my signature)

   $openconnect --config=/home/rsindlin/.cisco/openconnect.conf  --authgroup=GSFC_RSA_Pri 
https://xxxxxxx.xxxx.gov
   POST https://xxxxxxx.xxxx.gov/
   Connected to XXX.XXX.XXX.X:443
   SSL negotiation with xxxxxxx.xxxx.gov
   Connected to HTTPS on xxxxxxx.xxxx.gov with ciphersuite (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-
GCM)
   Server requested SSL client certificate; none was configured
   POST https://xxxxxxx.xxxx.gov/
   XML POST enabled
   Certificate Validation Failure
   Please enter your username and password.
   POST https://xxxxxxx.xxxx.gov/
   XML POST enabled
   ************************************************************************
   WARNING: xmlstarlet not found in path; CSD token extraction may not work
   ************************************************************************
   curl: option --pinnedpubkey: is unknown
   curl: try 'curl --help' or 'curl --manual' for more information
   curl: option --pinnedpubkey: is unknown
   curl: try 'curl --help' or 'curl --manual' for more information
   GET https://gsfcvpn.nasa.gov/+CSCOE+/sdesktop/wait.html
   Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

Any suggestions are very much appreciated!

Thanks,
-Randall Sindlinger



Additional info, if interested
------------------------------

openconnect.conf
----------------
script-tun
script /home/rsindlin/local/bin/ocproxy -D 11080
cafile
/etc/pki/ca-trust/source/anchors/NTAM_2020_1.pem
mtu 1322
csd-wrapper
/home/rsindlin/.cisco/trojans_csd-post.sh
#csd-wrapper /home/rsindlin/.cisco/trojans_csd-wrapper.sh
cs
d-user rsindlin
----------------

I'm running openconnect with PIV authentication as:
openconnect --config=/home/rsindlin/.cisco/openconnect.conf -c pkcs11:id=%01 --
authgroup=GSFC_Teleworker_Pri https://XXXXXXX.XXXX.gov


Using the csd-post script as-is, it loops on:
   GET https://XXXXXXX.XXX.gov/+CSCOE+/sdesktop/wait.html
   Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
   GET https://XXXXXXX.XXX.gov/+CSCOE+/sdesktop/wait.html
   SSL negotiation with XXXXXXX.XXXX.gov
   Connected to HTTPS on XXXXXXX.XXXX.gov with ciphersuite (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-
GCM)
   Refreshing +CSCOE+/sdesktop/wait.html after 1 second...



If I try just the option --pubkey from the scripts (really a Hail Mary idea) the failure message is
simply:
   SSL connection failure: PKCS #11 user error
   Failed to open HTTPS connection to xxxxxx.xxxx.gov
   Failed to obtain WebVPN cookie

More information about the openconnect-devel mailing list