On Mon, Jun 26, 2023 at 4:56 AM Grant Williamson <traxto...@gmail.com> wrote: > I'm encountering an issue with the csd-post.sh script. When attempting > to use it, I receive the error message: "You are attempting to use a > digital certificate not assigned to this device." I would appreciate > any insights on how to add support for when a server cross checks the > MAC address functionality in the script.
> Helps if I just try using what is there. Sorry. > endpoint.device.MAC["FFFF.FFFF.FFFF"]="true"; Glad you figured out, but… wow. "Digital certificate not assigned to this device" is a very misleading/unclear/irrelevant error message for "you didn't tell us your MAC address." Unfortunately, OpenConnect has encountered many such similar cases where VPN servers send vague/misleading error messages when they reach an unexpected state (https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c#L672-676). It appears that their developers and administrators only test them against their official clients, and don't consider what would happen if a different client sent a different set of information. (Needless to say, these kinds of flawed assumptions are also a rich source of security vulnerabilities. 😈) _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
