csd-post.sh "You are attempting to use a digital certificate not assigned to this device"
Daniel Lenski
dlenski at gmail.com
Fri Jun 30 11:09:45 PDT 2023
On Mon, Jun 26, 2023 at 4:56 AM Grant Williamson <traxtopel at gmail.com> wrote:
> I'm encountering an issue with the csd-post.sh script. When attempting
> to use it, I receive the error message: "You are attempting to use a
> digital certificate not assigned to this device." I would appreciate
> any insights on how to add support for when a server cross checks the
> MAC address functionality in the script.
> Helps if I just try using what is there. Sorry.
> endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";
Glad you figured out, but… wow.
"Digital certificate not assigned to this device" is a very
misleading/unclear/irrelevant error message for "you didn't tell us
your MAC address."
Unfortunately, OpenConnect has encountered many such similar cases
where VPN servers send vague/misleading error messages when they reach
an unexpected state
(https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c#L672-676).
It appears that their developers and administrators only test them
against their official clients, and don't consider what would happen
if a different client sent a different set of information.
(Needless to say, these kinds of flawed assumptions are also a rich
source of security vulnerabilities. 😈)
More information about the openconnect-devel
mailing list