Centos 7 curl does not support '--pinnedpubkey' use in csd-post and csd-wrapper

Tue Jul 28 17:57:16 EDT 2020

On Tue, Jul 28, 2020 at 10:39 AM Sindlinger, Randall A.
(GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC]
<randall.a.sindlinger at nasa.gov> wrote:
>
> Hello,
>
> I'm trying to use openconnect under Centos 7.  I'm using the repo-supplied version of openconnect:
> $ openconnect --version
> OpenConnect version v8.10
> Using GnuTLS 3.3.29. Features present: TPM, PKCS#11, RSA software token, HOTP software token, TOTP
> software token, Yubikey OATH, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse
>
> I had used openconnect successfully on a different system, but now I am failing to connect to the
> Cisco VPN.  It seems the cause is that the supplied version of curl is 7.29.0, and does not support
> the --pinnedpubkey used in the csd-post.sh and csd-wrapper.sh scripts.  (I am currently trying to
> use the updated csd-post script at https://gitlab.com/openconnect/openconnect/-/tree/master/trojans)

The --pinnedpubkey option allows cURL to verify that the *server*
certificate it sees when connecting to the VPN server exactly matches
the one seen by OpenConnect itself, and which OpenConnect validates
via either PKI or manual approval of the certificate fingerprint. This
prevents MITM  attacks intercepting the traffic queries/responses
between cURL and CSD/hostscan.

Theoretically, this is a good security improvement, and I'm glad we
added it, but in practice a MITM of CSD submission is (a) very
unlikely and (b) not very dangerous or interesting, because the CSD
response sent by csd-post.sh contain very little in the way of
uniquely identifying data.

Unless you are very, very paranoid about security, the easiest way to
solve this will be to simply disable the server-certificate-validating
behavior of the CSD submission… which is what old versions of
OpenConnect did anyway, as you note.

I've written a simple MR to add a variable to the scripts, which you
can set (INSECURE=true) to do this easily. Please test the modified
scripts from https://gitlab.com/openconnect/openconnect/-/merge_requests/125

> If I need to build curl, before I go down that rabbit hole, will the --pinnedpubkey support have a
> reasonable likelihood of solving my problem?

Yes, the problem that you are having is clearly caused by lack of
--pinnedpubkey support.

> PS - I'm pointing openconnect to (I thought) the same cert Cisco Anyconnect is using, so I didn't
> think I have a cert issue.  But I just tried changing the invocation to use my RSA token instead of
> PIV card, and have a different set of errors, that calls the cert into question.  Perhaps this sheds
> addtional light on my problem, and I've been barking up the wrong tree?  (The openconnect.conf file
> is provided after my signature)

This is unrelated. It appears you are confusing the *client*
certificate needed for your VPN with the *server* certificate. The
latter is what the OpenConnect client itself validates, and what
OpenConnect is also trying to get (modern versions of) cURL to
validate using the --pinnedpubkey option.

You should not be changing anything about your client certificate handling.

> Using the csd-post script as-is, it loops on:
>    GET https://XXXXXXX.XXX.gov/+CSCOE+/sdesktop/wait.html
>    Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
>    GET https://XXXXXXX.XXX.gov/+CSCOE+/sdesktop/wait.html
>    SSL negotiation with XXXXXXX.XXXX.gov
>    Connected to HTTPS on XXXXXXX.XXXX.gov with ciphersuite (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-
> GCM)
>    Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

Hmmm… I thought we fixed the "endless looping" behavior in
https://gitlab.com/openconnect/openconnect/-/commit/ad3ef669b02e8bf27aaa71a146684a3867087c65
(included in v8.06 and newer). I'm not sure I understand the
combination of options you're using here, so I'm going to ignore this
for now and we can revisit if upgrading cURL or enabling the INSECURE
option in the CSD scripts doesn't work.

Dan