On Tue, 2017-09-12 at 15:11 +0000, Magnusson Peter wrote: > We are running Openconnect on rhel7 against Cisco ASA(with hostscan > enabled). After an upgrade for hostscan that was released recently > version 4.3.0538 we are having problems connecting. > > It seems to be due to a bugfix that cisco provided in this release: > https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/ > an > yconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#referenc > e_ > yfw_wnj_r1b > "cstub should validate server certificates for a ssl connection" > > cstub binary is triggered by the cisco-wrapper script and tries to > communicate with the vpn server but fails because it can not verify > the > root CA certificate.? > > We have tried to place the root CA certificate in every thinkable > certstore but no luck. When running strace on cstub it looks like its > actually reading the root CA cert from for example > /opt/.cisco/certificates/ca but the certificate validation still > fails. Is the cstub a program for RHEL7? If yes, it should read the certificates from the locations documented in update-ca-trust manpage. Otherwise you may want to use strace, to figure where it looks for them. regards, Nikos
