On my Cinnamon (linux) desktop, I have setup an openconnect VPN connection in NetworkManager. When connecting, I don't seem to have any issues: the connection is established and network traffic is routed through it. However, my system log contains a worrying entry:
openconnect[2935]: SSL negotiation with (...)
openconnect[2935]: Server certificate verify failed: signer not found
openconnect[2935]: Connected to HTTPS on (...)
openconnect[2935]: Got CONNECT response: HTTP/1.1 200 OK
I tried using openconnect
from the command line and it does not print anything about certificate issues (even in verbose mode). Also, there are no certificate errors with the site in Firefox or using wget
(I have no idea which certificate store openconnect uses…).
Does that mean that the connection is prone to man-in-the-middle attacks? If the certificate could not be verified, why is there no confirmation prompt which asks me to trust the certificate before connecting and sending my credentials? Why is the issue only present when connecting using NetworkManager?
The command line of openconnect
is
/usr/sbin/openconnect --servercert sha1:bee140657db50a73ee69f47fee9e4d670905206e --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 (ip):443
The warning is also present if I do not explicitly set a CA certificate in NetworkManager.
Best Answer
This issue is still present in Ubuntu 18.04 with
network-manager-openconnect
.I think the issue here is that the connection is being made to the VPN server's IP address, rather than it's DNS name:
Run the command manually, without the --servercert parameter:
Note the certificate verification failure.
Now using the hostname instead of the IP:
No certificate errors.
Now, using the IP with the servercert parameter:
Compare the error to the first example - it's a different error. This one fails because the signer is not found. Considering that we're just specifying a hash, I guess that makes sense, as there's not trust chain to follow.
To me, I think the root cause is that network manager is for some reason connecting to the IP address rather than the hostname. Not sure why it would do this?