On Thu, Oct 8, 2020 at 4:46 AM hanoh haim <hhaim.ha...@gmail.com> wrote: > I have the installation script of AnyConnect there are two .PEM files under > /opt/.cisco/certificate/ca/ > > > adding "-c *.pem" > > return > > "Failed to determine type of private key " > > How can I convert the two files to client cert? > Shouldn’t the certificate be different per machine? It is the same for > all installations ..
Those files are SERVER certs, not CLIENT certs. Like David says, AnyConnect for Linux normally stores your client certs into the Firefox cert store. So go into your Firefox preferences, search for client certificates, look for the cert there… and export it along with its private key as needed. > BTW > I read your original email about openconnect project in Linux mailer > describing the protocol. Very nice job hacking it. > Did you replaced the openssl library with one that extract the master > keys and looked into the decrypt https sessions? Do you have something > describing how you reverse engineering it? I can't speak to exactly how David worked out the details of the AnyConnect protocol originally, but I gave a recent talk where I went through the process of figuring out how the GlobalProtect protocol works. Slides here: https://www.dropbox.com/s/nvqhjn7a1c5mqye/How%20VPNs%20Work%20-%20Daniel%20Lenski%20at%20DAMA%20PDX%2C%20September%202020.pdf?dl=0 The brief summary is that you can run "official" client software on a VM and use MITM proxy to decrypt TLS/HTTPS traffic. This approach will work even if the client software can't be directly tortured into dumping its session keys. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
