csd-post.sh "You are attempting to use a digital certificate not assigned to this device"

traxtopel at gmail.com traxtopel at gmail.com
Tue Jul 4 05:14:50 PDT 2023 

Hi Daniel,
as part of our many layers of security we have a policy to limit access
to the registered MAC addresses. As a result, I am utilizing this patch
to csd-post.sh. This might be useful to somebody else.

--- csd-post.sh.orig	2023-07-04 14:08:44.835890581 +0200
+++ csd-post.sh	2023-07-04 14:11:16.054802224 +0200
@@ -12,6 +12,23 @@
 # server's security policy with lies. This script exists as an example
 # to work from.
 
+if openssl version|awk '{ print $2 }' | grep -Eq '^3'; then
+    OPENSSL_CONF_FILE=$(mktemp)
+    cat << EOF > $OPENSSL_CONF_FILE
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+Options = UnsafeLegacyRenegotiation
+EOF
+    export OPENSSL_CONF=$OPENSSL_CONF_FILE
+fi
+
 if ! xmlstarlet --version > /dev/null 2>&1; then
     echo
"**********************************************************************
**" >&2
     echo "WARNING: xmlstarlet not found in path; CSD token extraction
may not work" >&2
@@ -32,12 +49,45 @@
     echo
"*********************************************************************"
>&2
 fi
 
+USE_MACHINE_MAC=true
+if [[ "$USE_MACHINE_MAC" == "true" ]]; then
+    # Function to convert MAC address to the format FFFF.FFFF.FFFF
+    convert_mac_address() {
+        local mac_address=$1
+        echo "${mac_address//:}" | sed 's/^\([0-9A-Fa-f]\{4\}\)\([0-
9A-Fa-f]\{4\}\)\([0-9A-Fa-f]\{4\}\).*$/\1.\2.\3/'
+    }
+    macaddresses=()
+
+    while IFS= read -r -d '' device; do
+        device_name=$(basename "$device")
+        if [[ ! $device_name =~ (tap|virbr|lo|vpn) ]]; then
+            address_file="$device/address"
+            if [[ -f $address_file ]]; then
+                macaddress=$(< "$address_file")
+                macaddresses+=("$(convert_mac_address "$macaddress")")
+            fi
+        fi
+    done < <(find "/sys/class/net" -mindepth 1 -print0)
+
+    # Convert each value to the format FFFF.FFFF.FFFF
+    converted_values=""
+    IFS='|' read -ra value_array <<< "$values"
+    for value in "${macaddresses[@]}"; do
+        converted_value=$(convert_mac_address "$value")
+       
converted_values+="endpoint.device.MAC[\"$converted_value\"]=\"true\";\
n"
+    done
+
+    # Print the converted values
+    mac_address=$(echo -e "$converted_values" | sed '$ s/.$//')
+
+else
+    mac_address='endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";'
+fi
 
 export RESPONSE=$(mktemp /tmp/csdresponseXXXXXXX)
 export RESULT=$(mktemp /tmp/csdresultXXXXXXX)
 trap 'rm $RESPONSE $RESULT' EXIT
 
-
 cat >> $RESPONSE <<EOF
 endpoint.os.version="$(uname -s)";
 endpoint.os.servicepack="$(uname -r)";
@@ -46,26 +96,7 @@
 endpoint.device.protection="none";
 endpoint.device.protection_version="3.1.03103";
 endpoint.device.hostname="$(hostname)";
-endpoint.device.port["9217"]="true";
-endpoint.device.port["139"]="true";
-endpoint.device.port["53"]="true";
-endpoint.device.port["22"]="true";
-endpoint.device.port["631"]="true";
-endpoint.device.port["445"]="true";
-endpoint.device.port["9216"]="true";
-endpoint.device.tcp4port["9217"]="true";
-endpoint.device.tcp4port["139"]="true";
-endpoint.device.tcp4port["53"]="true";
-endpoint.device.tcp4port["22"]="true";
-endpoint.device.tcp4port["631"]="true";
-endpoint.device.tcp4port["445"]="true";
-endpoint.device.tcp4port["9216"]="true";
-endpoint.device.tcp6port["139"]="true";
-endpoint.device.tcp6port["53"]="true";
-endpoint.device.tcp6port["22"]="true";
-endpoint.device.tcp6port["631"]="true";
-endpoint.device.tcp6port["445"]="true";
-endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";
+$mac_address
 endpoint.device.protection_extension="3.6.4900.2";
 endpoint.fw["IPTablesFW"]={};
 endpoint.fw["IPTablesFW"].exists="true";
@@ -74,6 +105,14 @@
 endpoint.fw["IPTablesFW"].enabled="ok";
 EOF
 
+for port in 9217 139 53 22 631 445 9216; do
+    cat >> $RESPONSE <<EOF ;
+endpoint.device.port["$port"]="true";
+endpoint.device.tcp4port["$port"]="true";
+endpoint.device.tcp6port["$port"]="true";
+EOF
+done
+
 shift
 
 TICKET=
@@ -174,5 +213,6 @@
 curl $PINNEDPUBKEY -s -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" -H
'Expect: ' --data-binary @$RESPONSE "$URL" > $RESULT
 
 cat $RESULT || :
+[ -f $OPENSSL_CONF_FILE ] && rm =f $OPENSSL_CONF_FILE
 
 exit 0

On Fri, 2023-06-30 at 11:09 -0700, Daniel Lenski wrote:
> On Mon, Jun 26, 2023 at 4:56 AM Grant Williamson
> <traxtopel at gmail.com> wrote:
> > I'm encountering an issue with the csd-post.sh script. When
> > attempting
> > to use it, I receive the error message: "You are attempting to use
> > a
> > digital certificate not assigned to this device." I would
> > appreciate
> > any insights on how to add support for when a server cross checks
> > the
> > MAC address functionality in the script.
> 
> > Helps if I just try using what is there. Sorry.
> > endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";
> 
> Glad you figured out, but… wow.
> 
> "Digital certificate not assigned to this device" is a very
> misleading/unclear/irrelevant error message for "you didn't tell us
> your MAC address."
> 
> Unfortunately, OpenConnect has encountered many such similar cases
> where VPN servers send vague/misleading error messages when they
> reach
> an unexpected state
> (
> https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c#L672-
> 676).
> It appears that their developers and administrators only test them
> against their official clients, and don't consider what would happen
> if a different client sent a different set of information.
> 
> (Needless to say, these kinds of flawed assumptions are also a rich
> source of security vulnerabilities. 😈)

More information about the openconnect-devel mailing list