Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2257
Views
0
Helpful
2
Replies

Openconnect and hostscan -- not working with wildcard cert

robo0003c
Level 1
Level 1

‎11-01-2017 06:50 AM - edited ‎03-12-2019 04:41 AM

We are running Linux RHEL 7.4 with openconnect to connect to our ASA over SSL VPN. Since hostscan 4.3.05038 and onwards with fix CSCub32322: "cstub should validate server certificates for a ssl connection" we no longer are able to run cstub. If we run with Ciscos Anyconnect everything works fine, but with openconnect we receive:

 

[cstub]Function: moz_init Thread Id: 0x3EE49740 File: cert_moz.c Line: 134 Level: debug :: initializing mozilla certificate module... done
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(*.example.com)  issuerCN(DigiCert SHA2 Secure Server CA)
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert Global Root CA)  issuerCN(DigiCert Global Root CA)
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert SHA2 Secure Server CA)  issuerCN(DigiCert Global Root CA)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(2)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(1)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(0)
[cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3329 Level: error :: failed to validate server name(vpn-ra-tst.example.com)
[cstub]Function: hostscan_ssl_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3470 Level: debug :: Server verification result(Fail)
[cstub]Function: hs_transport_curl_get Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 4792 Level: debug :: libcurl error: Error

We run openconnect with the following csd-wrapper: https://gist.github.com/l0ki000/56845c00fd2a0e76d688

The ASA is configured for a wildcard certificate and both the intermidiate and root CA certs are added in the ASA CA certificates.

 

If we run a single-host certificate in the ASA everything works. The problem arises when running with wildcard cert.

Any ideas why there is a problem with wildcard certificates and cstub?

 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

victorbrca
Level 1
Level 1

‎11-20-2017 10:28 AM

We have what it looks like the same issue, however we are not using wildcard certificate. I have tried using '--servercert' and '--cafile' with no luck.  

 

[Mon Nov 20 13:02:05.936 2017][cstub]Function: moz_init Thread Id: 0xA946BB80 File: cert_moz.c Line: 134 Level: debug :: initializing mozilla certificate module... done
[Mon Nov 20 13:02:05.954 2017][cstub]Function: moz_cert_update_certdesc_status Thread Id: 0xA946BB80 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert SHA2 Secure Server CA)  issuerCN(DigiCert Global Root CA)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: moz_free_api Thread Id: 0xA946BB80 File: cert_moz.c Line: 881 Level: debug :: NSS_Shutdown failed (-8053)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(0)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3206 Level: trace :: CurrentDepth(1) Certificate CN(DigiCert SHA2 Secure Server CA) IssuerCN(DigiCert Global Root CA)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3208 Level: error :: verify_rc(0) as Error is occurred at CurrentDepth(1). errcode(2) errval(unable to get issuer certificate)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3334 Level: error :: Failed to validate Server(anyconnect.mydomain.com) certificates, verify_rc(0)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: hostscan_ssl_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3470 Level: debug :: Server verification result(Fail)
[Mon Nov 20 13:02:05.956 2017][cstub]Function: hs_transport_curl_probe Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 4877 Level: debug :: libcurl error: Error
0 Helpful

robo0003c
Level 1
Level 1
In response to victorbrca

‎11-23-2017 07:02 AM

We solved that specific error with adding both the intermediate certificate as well as the root certificate that signed the certificate to the CA Certificates on the Cisco ASA. So under Device Management -> Certificate Management -> CA Certificates.

 

And thereafter editing those certificates and under "Advanced" remove the check boxes under "validation usage" as well under "Other Options".

0 Helpful
Customers Also Viewed These Support Documents