1

I would like to "pin" the certificate or at least the certificate authority for AnyConnect connections. Given the amount of SSL mitm'ing and compromised CA's, I want to ensure that only certificates signed by a certain CA are accepted as valid by the AnyConnect client when establishing connection to the VPN.

How to do it on ASA 5510?

Konrads
  • 860
  • 2
  • 20
  • 38

1 Answers1

0

I don't know anything about your Cisco gear, but generally speaking any SSL client will have copies installed of the public key for the CAs it trusts. I presume your Cisco kit is the same, but I can't help you with how to install a specific certificate it doesn't already have.

If your system relies on public CA infrastructure, then not much will help if the CA is compromised. At that point a MITM attacker can sign their own key and there is little you can do to distinguish whether that key has been legitimately signed or not. If the attacker has theCA key, there's no difference between them and one signed by the CA using the same key. The only thing you can do is to make sure you have a mechanism for tracking revocations that might be issued for the CA certs.

If you only want to accept certificates signed by a specific CA (limiting your exposure to other CAs being compromised ), then you could remove all the CA certs except the one you trust.

Many SSL communications with a known set of devices (and this is therefore likely for a VPN product) keep a registry with a fingerprint of each client's certificate, or sign the client certs with a key held by the server (ie the server is it's own CA). in these cases there is no need for an external CA, but there has to be a system for securely issuing or signing the certificates. That seems likely for your VPN product, but as I say, I don't know the Cisco gear. If you have an architecture of this sort though, the key point is that compromise of public CAs is unlikely to concern you.

If you have a system where yourVPN server is signing certificates itself, then having the client certs signed by your own CA is every bit as good as checking the client certs against some sort of registry, which is what your list of pinned certs would effectively be.

mc0e
  • 5,786
  • 17
  • 31
  • AnyConnect to the best of my knoweldge relies on windows builtin trusted root cert store. Which means that in order to force it use only "my" CA, I'd have to kill the cert store. Seems such a basic feature - trust my own CA only, but alas I can't find that it exists. – Konrads Sep 09 '14 at 21:22
  • Your clients might use the windows cert store to authenticate the server, but do you also create client certificates which the server authenticates? – mc0e Sep 10 '14 at 03:51
  • looking at the diagram at https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication, it seems there's a separate CA server in the picture. Does a MS CA server allow you set a policy where you serve only your own CA cert to the cisco box? – mc0e Sep 10 '14 at 03:57
  • using client-certificate authentication is a half-way house: clients could still establish an insecure tunnel, but this tunnel could not be relayed to the real vpn server. It also forces someone to do the whole cert management which can be painful.. :) – Konrads Sep 15 '14 at 12:40