topic I'm not sure how the AC VPN in Network Security

AnyConnect display server certificate?

K. M. Peterson — Tue, 12 Mar 2019 09:06:21 GMT

Hi all,

I've been asked a question about a customer who uses AnyConnect for access to a secure network from related networks in their organization, some of which use TLS-decrypting proxy servers.

I realized that there are a number of possible scenarios where there might be personnel running SSL VPN sessions from these networks. I had, at first thought, presumed that a correctly configured certificate store on the ASA 5515 (software version 9.4(3).8) would ensure that if a proxy was inline with an untrusted certificate the user would be warned of a problem in the certificate chain. I do understand that this question assumes that the CA and/or certificate(s) presented by the proxy are untrusted by the client, though I'd still like to be able to know if possible if that certificate is being substituted.

But (for the PCI assessors) I don't know how to verify this. I would think that the client "knows" which certificate is presented by the VPN server, so as with other applications I can verify the certificate identity is correct - but I don't know whether this is something that can be queried or displayed by the AnyConnect client. That's the easiest approach, if this is accessible somewhere on the client. Other approaches:

logging on the server would indicate whether there is an anomaly in session setup with a AnyConnect client?
query on the ASA console with detail on the connection?
fire up Wireshark on the client and watch the datastream?

The initial indication that I have is that there is nothing out of the ordinary, though connection to the AnyConnect https service (we've disabled WebVPN but the software download page is still accessible) is proxied (and the browser generates the expected "certificate invalid" warning). But the AnyConnect client does not, which is what raises our concern.

So, two questions:

Under what circumstances will the AnyConnect client complain that there is an SSL MITM with an untrusted certificate? Or is there a way to configure something similar to "certificate stapling" in the configuration?
How to verify that an AnyConnect session is using a specific certificate on the server?

Hope this isn't overly difficult to answer... thanks!

I'm not sure how the AC VPN

Marvin Rhoads — Wed, 22 Mar 2017 15:46:44 GMT

I'm not sure how the AC VPN agent responds to a trusted MITM. A Wireshark capture would definitely be a definitive source to see exactly what's going on.

I do know that you can pull a DART log and see the connection to the ASA. I just checked my DART log (select AnyConnect Secure Mobility Client log option only and then look at anyconnect,txt log file) as follows:

Date : 03/22/2017
Time : 23:23:18
Type : Information
Source : acvpnagent
Description : Function: CSslTunnelTransport::postSocketConnectProcessing
File: SslTunnelTransport.cpp
Line: 1360
Opened SSL socket from [192.168.0.104]:2204 to [<my ASA public address redacted>]:443

Hello Marvin,

K. M. Peterson — Wed, 22 Mar 2017 23:17:54 GMT

Hello Marvin,

Thanks, that's an informative response.

I recall DART from a prior version of AnyConnect, but I don't see any of its functionality in the version I am running (4.2.02075). Funny, I could have sworn it was there.

I did decide to go poking around to see whether it was a separate executable. On Windows (not my primary platform) I found a few other files. There's vpnui.exe (what gets started by the installed Start Menu item), and also vpncli.exe and vpnagent.exe.

I haven't had a chance to play around with the vpnagent.exe, but the vpncli.exe was what I would have expected, a command-line version of the application. Within it, there are several commands that make sense; a state command which provides pretty much the same information as from the UI. Perhaps there are command line options for vpnagent.exe, but I suspect not.

If you have any idea where the DART functionality lives (perhaps I need another installer), I'd be interested to hear. Thanks!

Yes - DART is not installed

Marvin Rhoads — Thu, 23 Mar 2017 02:13:51 GMT

Yes - DART is not installed by default.

I always use the offline installer for my own machine and choose it as an option in addition to the VPN, NAM and Umbrella modules I use daily.

Note that AnyConnect also has an application event log under Windows. There's a lot of overlap in the info that you can find there as well.