AnyConnect vs OpenConnect
Daniel Lenski
dlenski at gmail.com
Thu Oct 8 14:31:35 EDT 2020
On Thu, Oct 8, 2020 at 4:46 AM hanoh haim <hhaim.hanoh at gmail.com> wrote:
> I have the installation script of AnyConnect there are two .PEM files under
> /opt/.cisco/certificate/ca/
>
>
> adding "-c *.pem"
>
> return
>
> "Failed to determine type of private key "
>
> How can I convert the two files to client cert?
> Shouldn’t the certificate be different per machine? It is the same for
> all installations ..
Those files are SERVER certs, not CLIENT certs.
Like David says, AnyConnect for Linux normally stores your client
certs into the Firefox cert store. So go into your Firefox
preferences, search for client certificates, look for the cert there…
and export it along with its private key as needed.
> BTW
> I read your original email about openconnect project in Linux mailer
> describing the protocol. Very nice job hacking it.
> Did you replaced the openssl library with one that extract the master
> keys and looked into the decrypt https sessions? Do you have something
> describing how you reverse engineering it?
I can't speak to exactly how David worked out the details of the
AnyConnect protocol originally, but I gave a recent talk where I went
through the process of figuring out how the GlobalProtect protocol
works. Slides here:
https://www.dropbox.com/s/nvqhjn7a1c5mqye/How%20VPNs%20Work%20-%20Daniel%20Lenski%20at%20DAMA%20PDX%2C%20September%202020.pdf?dl=0
The brief summary is that you can run "official" client software on a
VM and use MITM proxy to decrypt TLS/HTTPS traffic. This approach will
work even if the client software can't be directly tortured into
dumping its session keys.
Dan
More information about the openconnect-devel
mailing list