Openconnect certificate validation with NetworkManager

certificatenetworkmanagersslvpn

On my Cinnamon (linux) desktop, I have setup an openconnect VPN connection in NetworkManager. When connecting, I don't seem to have any issues: the connection is established and network traffic is routed through it. However, my system log contains a worrying entry:

openconnect[2935]: SSL negotiation with (...)
openconnect[2935]: Server certificate verify failed: signer not found
openconnect[2935]: Connected to HTTPS on (...)
openconnect[2935]: Got CONNECT response: HTTP/1.1 200 OK

I tried using openconnect from the command line and it does not print anything about certificate issues (even in verbose mode). Also, there are no certificate errors with the site in Firefox or using wget (I have no idea which certificate store openconnect uses…).

Does that mean that the connection is prone to man-in-the-middle attacks? If the certificate could not be verified, why is there no confirmation prompt which asks me to trust the certificate before connecting and sending my credentials? Why is the issue only present when connecting using NetworkManager?

The command line of openconnect is

/usr/sbin/openconnect --servercert sha1:bee140657db50a73ee69f47fee9e4d670905206e --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 (ip):443

The warning is also present if I do not explicitly set a CA certificate in NetworkManager.

Best Answer

This issue is still present in Ubuntu 18.04 with network-manager-openconnect.

I think the issue here is that the connection is being made to the VPN server's IP address, rather than it's DNS name:

$ ps aux | grep openconnect
/usr/sbin/openconnect --servercert sha256:<hash> --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 <ip>:443

Run the command manually, without the --servercert parameter:

$ /usr/sbin/openconnect <ip>:443 --authenticate
POST https://<ip>/
Connected to <ip>:443
SSL negotiation with <ip>
Server certificate verify failed: certificate does not match hostname
Certificate from VPN server "<ip>" failed verification.
Reason: certificate does not match hostname
To trust this server in future, perhaps add this to your command line:
   --servercert sha256:<hash>
Enter 'yes' to accept, 'no' to abort; anything else to view:

Note the certificate verification failure.

Now using the hostname instead of the IP:

$ /usr/sbin/openconnect <hostname>:443 --authenticate
POST https://<hostname>/
Connected to <ip>:443
SSL negotiation with <hostname>
Connected to HTTPS on <hostname>
XML POST enabled
Please enter your username and password.

No certificate errors.

Now, using the IP with the servercert parameter:

$ /usr/sbin/openconnect <ip>:443 --authenticate --servercert sha256:<hash>
POST https://<ip>/
Connected to <ip>:443
SSL negotiation with <ip>
Server certificate verify failed: signer not found
Connected to HTTPS on <ip>
XML POST enabled
Please enter your username and password.

Compare the error to the first example - it's a different error. This one fails because the signer is not found. Considering that we're just specifying a hash, I guess that makes sense, as there's not trust chain to follow.

To me, I think the root cause is that network manager is for some reason connecting to the IP address rather than the hostname. Not sure why it would do this?

In Windows 10

Search for certlm.msc in the Start Menu or using Windows key+R.
Click on the 'Remote Desktop' folder and then on 'Certificates'. There you will find the certificate this computer presents to its RDP clients.

In Windows 7

Launch mmc.exe (as an administrator).
'File' -> 'Add/Remove Snap-in...'.
Select 'Certificates' in the 'Available Snap-ins' list and click 'Add >'.
A new window titled 'Certificates Snap-in' appears where you can choose from 'My user account', 'Service account' and 'Computer account'. Choose 'Computer account', click 'Next', then 'Finish' and finally 'OK'.
Under the 'Console Root' folder you now have 'Certificates (Local Computer)'.
Click on the 'Remote Desktop' folder and then on 'Certificates'. There you will find the certificate this computer presents to its RDP clients.

You can then save this console view for easy access under 'File' -> 'Save'.

Windows – How to provide a verified server certificate for Remote Desktop (RDP) connections to Windows 10

You can set this host machine to use and present your (existing, purchased) externally-verified SSL certificate thus (instructions probably also work for Windows 8 & 8.1, may or may not work for Windows 7) (parts of this based on a Microsoft KB 2001849):

First, you need to have purchased a genuine verified ssl certificate.

If you have this certificate in pkcs12 format file (e.g. pfx extension) you can view SHA1 fingerprint using Linux or Cygwin thus (you will need it below):

openssl pkcs12 -in mysite.pfx -nodes|openssl x509 -noout -fingerprint

Alternatively if you have the individual certificate files in your Linux server at /etc/ssl (/etc/ssl/certs/mysite.crt, /etc/ssl/mysite.ca-bundle and /etc/ssl/private/mysite.key) you can create pfx file and obtain SHA1 fingerprint thus:

Create pfx file for your certificate, if you don’t already have one (here: mysite.pfx) – set a good password when requested:

sudo openssl pkcs12  -export -out mysite.pfx -inkey /etc/ssl/private/mysite.pem -in /etc/ssl/certs/mysite.crt -certfile /etc/ssl/mysite.ca-bundle

Move or copy this pfx file as required so that it is accessible by your Windows host machine.
View SHA1 fingerprint of the key (you will need this below):

openssl x509 -in /etc/ssl/certs/mysite.crt -noout -fingerprint

Import pkcs12 format (e.g. pfx) file into Windows host machine’s personal certificates store:

Start > Run > mmc
File > Add Remove Snap-in > Certficates > Add > Computer Account > Local Computer > OK
In the left-hand window right-click on Certificates (Local Computer)Personal, choose All Tasks/Import…
Locate the pfx file and import it, I suggest that for security reasons you don’t make it exportable.
Expanding your Personal/Certificates you should now see 3 certificates, one of which is your site certificate (e.g. mysite.com). Right-click on this site certificate and right-click, choose All Tasks / Manage Private Keys…
Add user ‘NETWORK SERVICE’ with Read permission only (not Full Control), then Apply
Close mmc

Use regedit to add a new Binary Value called SSLCertificateSHA1Hash at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. The value it needs is the SHA1 fingerprint of the certificate obtained above: right-click on the new value, choose Modify and then type in the hex codes sequentially (without colons or spaces or commas, letters are not case-sensitive) – there are 20 hex pairs in all (40 characters).

You may need to reboot the host machine, or restart Remote Desktop Services (from Services.msc) before it will work.

Now, after making a remote desktop connection to this host using the correct site name (e.g. mysite.com) you should see a locked padlock on the left-hand side of the top connection bar: clicking on this shows that the identity of the remote computer was verified. A port that is open from the internet through to this host should now pass PCI-DSS 3.1 hostname testing.

Best Answer

Related Solutions

Windows – Where is the RDP server certificate stored

In Windows 10

In Windows 7

Windows – How to provide a verified server certificate for Remote Desktop (RDP) connections to Windows 10

Related Question