Openconnect and Cisco hostscan

[Magnusson Peter]

Thank you for the reply!

No the cstub binary is downloaded from the vpn server and is maintained
by Cisco.

strace doesnt really tell me anything, i can see that it opens dirs
that contain the needed ca certs and even the ca cert files appear in
the strace but it still doesnt seem to use them.

update-ca-trust is one of the methods ive tried (and the one that we
are normally using) for providing the ca certs, cstub doesnt see to
honor them.

On Tue, 2017-09-12 at 19:10 +0200, Nikos Mavrogiannopoulos wrote:
> On Tue, 2017-09-12 at 15:11 +0000, Magnusson Peter wrote:
> > We are running Openconnect on rhel7 against Cisco ASA(with hostscan
> > enabled). After an upgrade for hostscan that was released recently
> > version 4.3.0538 we are having problems connecting.
> > 
> > It seems to be due to a bugfix that cisco provided in this release:
> > https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnec
> > t/
> > an
> > yconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#refere
> > nc
> > e_
> > yfw_wnj_r1b
> > "cstub should validate server certificates for a ssl connection"
> > 
> > cstub binary is triggered by the cisco-wrapper script and tries to
> > communicate with the vpn server but fails because it can not verify
> > the
> > root CA certificate. 
> > 
> > We have tried to place the root CA certificate in every thinkable
> > certstore but no luck. When running strace on cstub it looks like
> > its
> > actually reading the root CA cert from for example
> > /opt/.cisco/certificates/ca but the certificate validation still
> > fails.
> 
> Is the cstub a program for RHEL7? If yes, it should read the
> certificates from the locations documented in update-ca-trust
> manpage.
> Otherwise you may want to use strace, to figure where it looks for
> them.
> 
> regards,
> Nikos
> 
-- 
Peter Magnusson
ITpc

SMHI
Telefon 011-495 8547 Fax 011-4958350
Epost Peter.Magnusson at smhi.se
601 76 Norrköping Besöksadress Folkborgsvägen 17
www.smhi.se