[prev in list] [next in list] [prev in thread] [next in thread]
List: openconnect-devel
Subject: Re: AnyConnect vs OpenConnect
From: Daniel Lenski <dlenski () gmail ! com>
Date: 2020-10-08 18:31:35
Message-ID: CAOw_LSESq71MOjyR3N11JFtUzfoWCnp=qP8udF5uSNoqor6WWQ () mail ! gmail ! com
[Download RAW message or body]
On Thu, Oct 8, 2020 at 4:46 AM hanoh haim <hhaim.hanoh@gmail.com> wrote:
> I have the installation script of AnyConnect there are two .PEM files under
> /opt/.cisco/certificate/ca/
>
>
> adding "-c *.pem"
>
> return
>
> "Failed to determine type of private key "
>
> How can I convert the two files to client cert?
> Shouldn't the certificate be different per machine? It is the same for
> all installations ..
Those files are SERVER certs, not CLIENT certs.
Like David says, AnyConnect for Linux normally stores your client
certs into the Firefox cert store. So go into your Firefox
preferences, search for client certificates, look for the cert thereā¦
and export it along with its private key as needed.
> BTW
> I read your original email about openconnect project in Linux mailer
> describing the protocol. Very nice job hacking it.
> Did you replaced the openssl library with one that extract the master
> keys and looked into the decrypt https sessions? Do you have something
> describing how you reverse engineering it?
I can't speak to exactly how David worked out the details of the
AnyConnect protocol originally, but I gave a recent talk where I went
through the process of figuring out how the GlobalProtect protocol
works. Slides here:
https://www.dropbox.com/s/nvqhjn7a1c5mqye/How%20VPNs%20Work%20-%20Daniel%20Lenski%20at%20DAMA%20PDX%2C%20September%202020.pdf?dl=0
The brief summary is that you can run "official" client software on a
VM and use MITM proxy to decrypt TLS/HTTPS traffic. This approach will
work even if the client software can't be directly tortured into
dumping its session keys.
Dan
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic