Openconnect and Cisco hostscan

Magnusson Peter Peter.Magnusson at smhi.se
Tue Sep 12 08:11:16 PDT 2017


We are running Openconnect on rhel7 against Cisco ASA(with hostscan
enabled). After an upgrade for hostscan that was released recently
version 4.3.0538 we are having problems connecting.

It seems to be due to a bugfix that cisco provided in this release:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/an
yconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#reference_
yfw_wnj_r1b
"cstub should validate server certificates for a ssl connection"

cstub binary is triggered by the cisco-wrapper script and tries to
communicate with the vpn server but fails because it can not verify the
root CA certificate. 

We have tried to place the root CA certificate in every thinkable
certstore but no luck. When running strace on cstub it looks like its
actually reading the root CA cert from for example
/opt/.cisco/certificates/ca but the certificate validation still fails.

Is anyone else experiencing this problem ?


-- 
Peter Magnusson
ITpc

SMHI
Telefon 011-495 8547 Fax 011-4958350
Epost Peter.Magnusson at smhi.se
601 76 Norrköping Besöksadress Folkborgsvägen 17
www.smhi.se


More information about the openconnect-devel mailing list