|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
MIME-Version: 1.0 In-Reply-To: <rt-4.0.13-10786-1552843262-1457.2921971-4275-0@help.mit.edu> From: Jonathan Reed <jdreed@gmail.com> Date: Sun, 17 Mar 2019 14:01:08 -0400 Message-ID: <CADwaeHe2tHi=YEdrMogOSDY0J18yFtToz0SVPMhNiX4NhWxr2g@mail.gmail.com> To: network-bugs@mit.edu Cc: debathena@mit.edu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Hi Brian, I have long since left MIT (the last update on this ticket was 4 years ago) and haven't tried this since then. I have CC'd the debathena@mit.edu list in case others have tried it more recently, and can determine whether the client still relies on the Mozilla certificate store. -Jon On Sun, Mar 17, 2019 at 1:21 PM Brian Stephens via RT <network-bugs@mit.edu> wrote: > > Hi Jon, > > Can you confirm whether this is still an issue? > > AnyConnect has been upgraded to version 4.6 now, and Firefox has also gone through numerous versions since this was first reported. > > Thanks. > > -- > Brian. > > > On Wed Apr 29 08:03:48 2015, jdreed wrote: > > Still present (the version hasn’t actually changed) with 3.1.05152, > > which is on the grid right now. > > > > Feel free to point anyone at me if they need more details. It’s an > > unusual case, and one I don’t expect them to encounter in testing. > > My 1/6/2015 e-mail should contain enough of a summary for them to > > get started. > > > > I don’t actually have a high expectation of them fixing this, but I’d > > at least like to know we reported it to them. Alternatively, if we > > want to decide it’s unusual enough to not bother reporting, that’s > > fine too, and I’ll just document it in the kb. > > > > -Jon > > > > > > On Apr 29, 2015, at 7:46 AM, Sar Haidar via RT <swrt@mit.edu> wrote: > > > > > Thanks for letting me know. Before I go ahead and send it to the > > network team, can you please try it out with the current version of > > the VPN client available on the grid and respond back. > > > > > > Thanks, > > > > > > Sar > > > > > >> On Apr 29, 2015, at 7:40 AM, Jonathan D Reed via RT <swrt@mit.edu> > > wrote: > > >> > > >> This still needs to get reported to Cisco. I can do it if we have > > a TAM or other contact. > > >> > > >> Sent from my mobile device > > >> > > >>> On Apr 29, 2015, at 7:23 AM, "Sar Haidar via RT" <swrt@mit.edu> > > wrote: > > >>> > > >>> Cleaning up the swrt queue and closing all tickets that have been > > sitting in the queue for 30 or more days. If this is still an > > issue, please create a new ticket. Sorry for the inconvenience. > > >>> > > >>>> On Tue Jan 06 16:27:02 2015, jdreed wrote: > > >>>> It was on 64-bit Ubuntu, but I believe the Linux binary is the > > same > > >>>> across all distributions. strace(1) on the binary showed it > > >>>> attempting to stat things in ~/.mozilla/firefox. > > >>>> > > >>>> To clarify, I’m looking for one of three things from Cisco: > > >>>> > > >>>> - a patch that generates a useful error message (e.g. “A Firefox > > >>>> profile is required.”) > > >>>> - a patch to give it an alternate certificate store or path to a > > PEM- > > >>>> encoded cert chain > > >>>> - Cisco shipping its own CA certificates as part of the VPN > > client, > > >>>> and verifying against those. > > >>>> > > >>>> I do not recall the exact version of the VPN client, but it was > > >>>> whatever vpn.mit.edu was serving in July. > > >>>> > > >>>> I can attempt to verify with the current version, if necessary. > > >>>> > > >>>> -Jon > > >>>> > > >>>> > > >>>>> On Jan 6, 2015, at 2:30 PM, David LaPorte via RT <swrt@mit.edu> > > wrote: > > >>>>> > > >>>>> Jon, > > >>>>> > > >>>>> Can you confirm what operating system you tested on? > > >>>>> > > >>>>> thanks > > >>>>> Dave > > >>>>> > > >>>>>> On Thu Jul 31 16:47:12 2014, jdreed wrote: > > >>>>>> Hi folks, > > >>>>>> > > >>>>>> A user discovered (and I verified), that AnyConnect will not > > run > > >>>>>> without a valid Firefox profile. The profile need not contain > > >>>>>> anything at all, but it must exist. Some debugging suggests > > that > > >>>>>> AnyConnect is abusing the Netscape Security Service as a > > software > > >>>>>> token store — specifically that it relies on Mozilla’s root > > >>>>>> certificate store to verify the server’s certificate. This > > would > > >>>>>> be ok if it actually told the user what it was doing, or > > >>>> displayed > > >>>>>> some helpful error (e.g. “Cannot find a certificate database to > > >>>>>> verify against”), but it just displays a false positive about > > >>>> being > > >>>>>> unable to verify vpn.mit.edu. > > >>>>>> > > >>>>>> This is kind of a major problem — in 2014, it’s perfectly > > possible > > >>>> not > > >>>>>> to have any Mozilla profile at all. For example, what if I > > used > > >>>>>> Chrome to download the VPN software? Can we escalate this to a > > >>>>>> technical or engineering contact at Cisco? The right thing to > > do > > >>>>>> here is for Cisco to ship its own root store, but at a minimum, > > >>>> it > > >>>>>> should warn the user when it can’t find anything to verify > > >>>> against > > >>>>>> (which is different than verifying the certificate and finding > > it > > >>>>>> lacking). Ideally, it would also be configurable to use the > > OS’s > > >>>>>> certificate store — Red Hat, Fedora, Debian, Ubuntu and SuSE > > all > > >>>>>> include the major certificate signers in a standard location > > for > > >>>>>> each distribution. > > >>>>>> > > >>>>>> Thanks, > > >>>>>> > > >>>>>> Jon > > >>> > > >>> > > >> > > >> > > > > > > > > > <smime.p7s> > > > > > > >
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |