cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1499
Views
0
Helpful
2
Replies
Beginner

Openconnect and hostscan -- not working with wildcard cert

We are running Linux RHEL 7.4 with openconnect to connect to our ASA over SSL VPN. Since hostscan 4.3.05038 and onwards with fix CSCub32322: "cstub should validate server certificates for a ssl connection" we no longer are able to run cstub. If we run with Ciscos Anyconnect everything works fine, but with openconnect we receive:

 

[cstub]Function: moz_init Thread Id: 0x3EE49740 File: cert_moz.c Line: 134 Level: debug :: initializing mozilla certificate module... done
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(*.example.com)  issuerCN(DigiCert SHA2 Secure Server CA)
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert Global Root CA)  issuerCN(DigiCert Global Root CA)
[cstub]Function: moz_cert_update_certdesc_status Thread Id: 0x3EE49740 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert SHA2 Secure Server CA)  issuerCN(DigiCert Global Root CA)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(2)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(1)
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(1) 
[cstub]Function: in_memory_cert_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3147 Level: trace :: validated certificate at depth(0)
[cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3329 Level: error :: failed to validate server name(vpn-ra-tst.example.com)
[cstub]Function: hostscan_ssl_verify_callback Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 3470 Level: debug :: Server verification result(Fail)
[cstub]Function: hs_transport_curl_get Thread Id: 0x3EE49740 File: hs_transport_curl.c Line: 4792 Level: debug :: libcurl error: Error 

We run openconnect with the following csd-wrapper: https://gist.github.com/l0ki000/56845c00fd2a0e76d688

The ASA is configured for a wildcard certificate and both the intermidiate and root CA certs are added in the ASA CA certificates.

 

If we run a single-host certificate in the ASA everything works. The problem arises when running with wildcard cert.

Any ideas why there is a problem with wildcard certificates and cstub?

 

2 REPLIES 2
Beginner

Re: Openconnect and hostscan -- not working with wildcard cert

We have what it looks like the same issue, however we are not using wildcard certificate. I have tried using '--servercert' and '--cafile' with no luck.  

 

[Mon Nov 20 13:02:05.936 2017][cstub]Function: moz_init Thread Id: 0xA946BB80 File: cert_moz.c Line: 134 Level: debug :: initializing mozilla certificate module... done
[Mon Nov 20 13:02:05.954 2017][cstub]Function: moz_cert_update_certdesc_status Thread Id: 0xA946BB80 File: cert_moz.c Line: 1065 Level: debug :: Found Certificate in store matching with: subjectCN(DigiCert SHA2 Secure Server CA)  issuerCN(DigiCert Global Root CA)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: moz_free_api Thread Id: 0xA946BB80 File: cert_moz.c Line: 881 Level: debug :: NSS_Shutdown failed (-8053)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3117 Level: trace :: pre-verify(0)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3206 Level: trace :: CurrentDepth(1) Certificate CN(DigiCert SHA2 Secure Server CA) IssuerCN(DigiCert Global Root CA)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: in_memory_cert_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3208 Level: error :: verify_rc(0) as Error is occurred at CurrentDepth(1). errcode(2) errval(unable to get issuer certificate)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3334 Level: error :: Failed to validate Server(anyconnect.mydomain.com) certificates, verify_rc(0)
[Mon Nov 20 13:02:05.955 2017][cstub]Function: hostscan_ssl_verify_callback Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 3470 Level: debug :: Server verification result(Fail)
[Mon Nov 20 13:02:05.956 2017][cstub]Function: hs_transport_curl_probe Thread Id: 0xA946BB80 File: hs_transport_curl.c Line: 4877 Level: debug :: libcurl error: Error
Highlighted
Beginner

Re: Openconnect and hostscan -- not working with wildcard cert

We solved that specific error with adding both the intermediate certificate as well as the root certificate that signed the certificate to the CA Certificates on the Cisco ASA. So under Device Management -> Certificate Management -> CA Certificates.

 

And thereafter editing those certificates and under "Advanced" remove the check boxes under "validation usage" as well under "Other Options".

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here