
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-08-2013 11:07 AM
Symptoms:
The following behavior has been noticed only by linux users who are also running CSD HostScan:
Cause / Problem Description
In the libcsd.log file you'll see:
-------------------------------------------------8<----------------------------------------------
[Thu Feb 07 18:52:15.774 2013][libcsd][all][csd_init] hello
[Thu Feb 07 18:52:15.774 2013][libcsd][all][csd_init] libcsd.so version 3.1.02040
[Thu Feb 07 18:52:15.774 2013][libcsd][debug][hs_transport_init] initialization
[Thu Feb 07 18:52:15.774 2013][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [/opt/cisco/anyconnect/lib/libaccurl.so.4.2.0], signer = [Cisco Systems, Inc.], type = [2]
[Thu Feb 07 18:52:15.963 2013][libcsd][error][verify_cb] Error 10, certificate has expired
[Thu Feb 07 18:52:15.963 2013][libcsd][error][verify_cert] Certificate is not trusted
[Thu Feb 07 18:52:15.964 2013][libcsd][error][hs_file_verify_with_killdate] unable to verify the certificate trust.
[Thu Feb 07 18:52:15.964 2013][libcsd][error][hs_dl_load_global] file signature invalid, not loading library (/opt/cisco/anyconnect/lib/libaccurl.so.4.2.0).
--------------------------------------------------8<---------------------------------------------
This is because the CSD HostScan code signing certificate expired yesterday. Mac and Windows users are not affected as the client code only checks if the certificate was valid when the code was signed. However, the Linux code checks on the current validity of the certificate.
Resolution:
The behavior on Linux will be changed as soon as posisble to mirror the treatment on MAC and Windows. While we don't recommend changing the system clock as a matter of course, for the time being the only way around it is to reset the linux system clock to something before Feb 7th, 2013. Please see bug CSCue49663 for addition details.
Important UPDATE: This bug is now fixed in AC 3.1.2043.
Your ASA should be configured as follows:
webvpn
enable outside
csd hostscan image disk0:/hostscan_3.1.02043-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2 regex "Mac OS"
anyconnect image disk0:/anyconnect-linux-3.1.02043-k9.pkg* 3 regex "Linux"
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I am not privileged to view CSCue49663. Does Cisco have an ETA when either the client will be updated or the certificates renewed?

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Darin, I've updated the bug. You should be able to view it now without any errors. Apart from that we are hoping to have a fix ready for this by tomorrow or latest by the end of this week.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Posture Assessment problem still persists in 3.1.02043. When we downloaded 3.1.02043 yesterday afternoon, the package still had the original version of the CSD, Is this correct?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I also downloaded and installed 3.1.02043 and the problem is still present for me as well.
Fri Feb 15 09:27:26.530 2013][libcsd][error][verify_cb] Error 10, certificate has expired
[Fri Feb 15 09:27:26.530 2013][libcsd][error][verify_cert] Certificate is not trusted
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
[Fri Feb 15 09:46:59.987 2013][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [/home/somename/.cisco/hostscan/bin/cscan], signer = [Cisco Systems, Inc.], type = [2]
[Fri Feb 15 09:47:00.017 2013][libcsd][error][verify_cb] Error 10, certificate has expired
[Fri Feb 15 09:47:00.017 2013][libcsd][error][verify_cert] Certificate is not trusted

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Are all of you using the Anyconnect package for the hostscan?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Atri, Yes I am using the Anyconnect client (/opt/cisco/anyconnect/bin/vpnui). Same result occurs whether I use vpnui or the vpn terminal version.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Atri, Yes I am also using the Anyconnect client (/opt/cisco/anyconnect/bin/vpnui).

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Folks, I have customers who've reported that the AC client resolved their issue. So just to confirm do all of you have the following configuration in place:
webvpn
enable outside
csd hostscan image disk0:/anyconnect-win-3.1.02026-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 3
anyconnect enable
You don't necessarily need to add all the OS versions of anyconnect but note the CSD hostscan image being used is the anyconnect image.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I have the linux image anyconnect-predeploy-linux-3.1.02043-k9.tar.gz installed.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Still have the issues with the following images on the ASA:
webvpn
enable outside
csd hostscan image disk0:/anyconnect-win-3.1.02040-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2 regex "Mac OS"
anyconnect image disk0:/anyconnect-linux-3.1.02043-k9.pkg 3 regex "Linux"

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I have updated this doc with the configuration that should work. Can all of you please try that and let me know if it resolves your issues?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Atri,
Will there be any updated "Predeploy" packages (I.e anyconnect-predeploy-linux-3.1.02043-k9.tar.gz)
that will work for linux, as I don't have access to the ASA server?

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I have confirmed that this combination appears to work with using the hostscan image for CSD...
webvpn
enable outside
csd hostscan image disk0:/hostscan_3.1.02043-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2 regex "Mac OS"
anyconnect image disk0:/anyconnect-linux-3.1.02043-k9.pkg 3 regex "Linux"
I am however, still regression testing other clients (Windows, MacOSX).
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I'm also seeing this problem using anyconnect-win-3.1.02040-k9.pkg.
com.ibm.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Thu Feb 07 17:59:59 CST 2013; internal cause is:
java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 07 17:59:59 CST 2013
at com.ibm.security.validator.PKIXValidator.doValidate(PKIXValidator.java:334)
at com.ibm.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:235)
at com.ibm.security.validator.Validator.validate(Validator.java:257)
at com.ibm.security.validator.Validator.validate(Validator.java:233)
at com.ibm.security.validator.Validator.validate(Validator.java:202)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(AccessController.java:280)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(AccessController.java:280)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(AccessController.java:314)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(ClassLoader.java:689)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:780)
Caused by: java.security.cert.CertPathValidatorException: The certificate expired at Thu Feb 07 17:59:59 CST 2013; internal cause is:
java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 07 17:59:59 CST 2013
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:203)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:294)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:265)
at com.ibm.security.validator.PKIXValidator.doValidate(PKIXValidator.java:329)
... 36 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 07 17:59:59 CST 2013
at com.ibm.security.x509.CertificateValidity.valid(CertificateValidity.java:458)
at com.ibm.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:731)
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:200)
... 39 more