Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6772
Views
5
Helpful
17
Comments

Hostscan Signature Verification Errors on Linux

Atri Basu
Cisco Employee
Cisco Employee

on ‎02-08-2013 11:07 AM

Symptoms:

The following behavior has been noticed only by linux users who are also running CSD HostScan:

screenshot.png

Cause / Problem Description

In the libcsd.log file you'll see:

-------------------------------------------------8<----------------------------------------------

[Thu Feb 07 18:52:15.774 2013][libcsd][all][csd_init] hello
[Thu Feb 07 18:52:15.774 2013][libcsd][all][csd_init] libcsd.so version 3.1.02040
[Thu Feb 07 18:52:15.774 2013][libcsd][debug][hs_transport_init] initialization
[Thu Feb 07 18:52:15.774 2013][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [/opt/cisco/anyconnect/lib/libaccurl.so.4.2.0], signer = [Cisco Systems, Inc.], type = [2]
[Thu Feb 07 18:52:15.963 2013][libcsd][error][verify_cb] Error 10, certificate has expired
[Thu Feb 07 18:52:15.963 2013][libcsd][error][verify_cert] Certificate is not trusted
[Thu Feb 07 18:52:15.964 2013][libcsd][error][hs_file_verify_with_killdate] unable to verify the certificate trust.
[Thu Feb 07 18:52:15.964 2013][libcsd][error][hs_dl_load_global] file signature invalid, not loading library (/opt/cisco/anyconnect/lib/libaccurl.so.4.2.0).
--------------------------------------------------8<---------------------------------------------

This is because the CSD HostScan code signing certificate expired yesterday. Mac and Windows users are not affected as the client code only checks if the certificate was valid when the code was signed. However, the Linux code checks on the current validity of the certificate.

Resolution:

The behavior on Linux will be changed as soon as posisble to mirror the treatment on MAC and Windows. While we don't recommend changing the system clock as a matter of course, for the time being the only way around it is to reset the linux system clock to something before Feb 7th, 2013. Please see bug CSCue49663 for addition details.

Important UPDATE: This bug is now fixed in AC 3.1.2043.

Your ASA should be configured as follows:
webvpn
enable outside
csd hostscan image disk0:/hostscan_3.1.02043-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2 regex "Mac OS"
anyconnect image disk0:/anyconnect-linux-3.1.02043-k9.pkg* 3 regex "Linux"


Labels:
Comments
Atri Basu
Cisco Employee
Cisco Employee
‎02-21-2013 07:45 AM

Weslan, There already is one, but you will still need the 2043 hostscan image loaded on the ASA to make this work.

darinsmiller
Level 1
Level 1
‎02-21-2013 07:53 AM

As per Randy's comments (he our sites' system admin), my issue has been solved by the configuration he has outlined.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents