Openconnect and Cisco hostscan

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Sep 12 10:10:22 PDT 2017


On Tue, 2017-09-12 at 15:11 +0000, Magnusson Peter wrote:
> We are running Openconnect on rhel7 against Cisco ASA(with hostscan
> enabled). After an upgrade for hostscan that was released recently
> version 4.3.0538 we are having problems connecting.
> 
> It seems to be due to a bugfix that cisco provided in this release:
> https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/
> an
> yconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#referenc
> e_
> yfw_wnj_r1b
> "cstub should validate server certificates for a ssl connection"
> 
> cstub binary is triggered by the cisco-wrapper script and tries to
> communicate with the vpn server but fails because it can not verify
> the
> root CA certificate. 
> 
> We have tried to place the root CA certificate in every thinkable
> certstore but no luck. When running strace on cstub it looks like its
> actually reading the root CA cert from for example
> /opt/.cisco/certificates/ca but the certificate validation still
> fails.

Is the cstub a program for RHEL7? If yes, it should read the
certificates from the locations documented in update-ca-trust manpage.
Otherwise you may want to use strace, to figure where it looks for
them.

regards,
Nikos




More information about the openconnect-devel mailing list