Skip to content
GitLab
Closed
Issue created by ano nymous@anonymice

AnyConnect 4.9.00512 iOS breaks client certificate authentication

Yesterday's update of the AnyConnect iOS app breaks connections that use a client certificate (for me anyway). Devices that still have the older 4.8 app do not experience this problem.

On AnyConnect's end it correctly verifies the server certificate, but then proceeds with:

CTransportCurlStatic.cpp Line: 1459 Unexpected padding for RSA encrypt: 3
CTransportCurlStatic.cpp Line: 1971 CURL error: 35 = error:141F0006:SSL:routines:tls_construct_cert_verify:EVP lib

Followed by an escalation of error CTRANSPORT_ERROR_SSL_HANDSHAKE that finally results in an error message to the user.

On the ocserv end:

ocserv[2026037]: TLS[<4>]: HSK[0x56423e170430]: switching early to application traffic keys
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/buffers.c[get_last_packet]:1168
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Expected Packet Handshake(22)
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Received Packet ChangeCipherSpec(20) with length: 1
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: SSL 3.3 Application Data packet received. Epoch 1, length: 1528
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Expected Packet Handshake(22)
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Received Packet Application Data(23) with length: 1528
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Decrypted Packet[0] Handshake(22) with length: 1511
ocserv[2026037]: TLS[<4>]: HSK[0x56423e170430]: CERTIFICATE (11) was received. Length 1507[1507], frag offset 0, frag length: 1507, sequence: 0
ocserv[2026037]: TLS[<4>]: HSK[0x56423e170430]: parsing certificate message
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/buffers.c[get_last_packet]:1168
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: SSL 3.3 Application Data packet received. Epoch 1, length: 19
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Expected Packet Handshake(22)
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Received Packet Application Data(23) with length: 19
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Decrypted Packet[1] Alert(21) with length: 2
ocserv[2026037]: TLS[<5>]: REC[0x56423e170430]: Alert[2|80] - Internal error - was received
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/record.c[record_add_to_buffers]:891
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/record.c[record_add_to_buffers]:897
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1531
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/tls13/certificate_verify.c[_gnutls13_recv_certificate_verify]:75
ocserv[2026037]: TLS[<3>]: ASSERT: ../../lib/handshake-tls13.c[_gnutls13_handshake_server]:540
ocserv[2026037]: GnuTLS error (at worker-vpn.c:817): A TLS fatal alert has been received.
Edited by ano nymous