Add support for client authentication.

[bdabelow]

Implements TLS client authentication with the VPN backend.

[Gilks]

This is a nice update. I thought the original implementation was a bit confusing too. To use the TLS options you needed create a cert/key file with the same name but different extensions. Due to never using it, I just left it alone. Specifying individual files (and actually respecting them) seems like a much needed improvement.

I appreciate the PR! I'll get this tested and if all goes well, I'll merge it.

[Gilks]

I apologize for the delay. Everything looks great. Landing.

[bdabelow]

Thanks.

[zviratko]

This will work only if you can export the cert&key, but would it be possible to use a PKCS#11 token for authentication? Commonly, smartcards are used for authentication with certs, and you can't MITM that (or at least I don't think you can)

[Gilks]

Are you saying that you need the PKCS#11 token in order to get to the hostscan phase? I've never had the chance to use smartcard authentication.

Hostscan takes place prior to any authentication so you should still be able to make use of the bypass. Once you have the hostscan-bypass.sh file you can use the OpenConnect smartcard support outlined here.

[zviratko]

Yes, that's what I'm saying exactly. You need to use client cert authentication before you get anywhere, no other authentication is done after that.
While hostscan traditionally is "pre-auth", in my case it's just used for DAP afterwards. I think this is a common scenario when using client certificates exclusively.

[Gilks]

It sounds like that environment is using the ISE posture modules rather than hostscan. See this issue where someone is describing something similar.

I'd love to get my hands on an environment that has this setup so I could try to break it. Unfortunately I don't have any way to develop a solution.

In theory it should still be possible.

[zviratko]

No, this really is hostscan.
I can actually connect with openconnect + csd-post (my own variant of it, anyway), it's just that the first thing that happens is that you need to present a certificate. This made it somewhat hard to come with a working payload for the CSD part as you need to scrape it from the logs and the format is not really clear.
Also, some things that used to work with ASA 9.6/9.8 don't work with 9.12 as they used to, in particular I need to POST the hostscan results with curl --data-binary AND it needs to be under 1KiB for curl not to do a silly expect-100 dance... (still trying to understand why that happens, so far seems like Cisco decided to use HTTP protocol for stuff without knowing HTTP works...)

[Gilks]

That's a fun fact. I had no idea that it was possible to make hostscan occur after authentication.

Have you tried exporting the non-exportable cert using mimikatz? I still don't have a smartcard to test with but if all you need is that cert then mimikatz should do the trick.

[zviratko]

You can't export a cert from smartcard (to be exact, you can extract the cert but you can't ever extract the private key). So no, that won't help.

With certificate, you get authentication in a reply to the first client request, and then this:

after CSD is posted.

Btw hostscan can also be periodic, in fact the official AnyConnect client repeats the scan and re-posts the results 60 seconds after the connection is already done.

[Gilks]

Sadly it sounds like I'd need a smartcard before I could make this compatible with your setup. If I were trying to figure out how to support this I'd likely reference the OpenConnect code base and see how they are handling smartcard auth and then write something similar into the bypass.

I wish I could be more help in this use case.