After Client Hello and Server Hello the server sends a certificate
request and this is the answer sent by the anyconnect client.
Should't there be certificates visible? When the server sends its cert
it has a length of 1709 but here in the clients response the
certificates length is 0.
Or am I missing something?
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 7
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 3
Certificates Length: 0
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 70
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 04fa7baae25fe53c492b3f3372be25d7f82a68b74b5edb38…
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
On Sun, 5 Apr 2020 at 22:17, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
> On Sun, 2020-04-05 at 22:13 +0200, Kai G wrote:
> > I'm trying to connect to a Cisco ASA VPN using credentials on a
> > smartcard.
> >
> > My setup is Ubuntu 18.04 with OpenConnect 7.08.
> >
> > There are a bunch of certs on the card but think I positively
> > identified the right one with the help of the anyconnect xml file and
> > p11tool.
> >
> > I can connect from Anyconnect on Windows 10 just fine using the same
> > card but when trying from another PC with linux and openconnect I get
> > a Certificate Validation Failure message from the server.
> >
> > Is there anything else I can do to debug this?
>
> My first guess is that your certificate is issued by an intermediate CA
> that isn't known to the server, and thus we need to provide it on the
> wire.
>
> And that you don't have your corporate CAs installed correctly on your
> system, otherwise you wouldn't need to give the --servercert argument.
>
> Amusingly, the certificate identity is sent in cleartext by Cisco's
> protocol, unlike some other VPNs. So if you do a packet capture (on the
> physical network) of the AnyConnect client connecting, and compare with
> the OpenConnect connection, you should be able to see that OpenConnect
> sends only one certificate while AnyConnect managed to find the issuer
> in the Windows certificate store and sends that too.
>
>
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
