Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.1
Important AnyConnect, Host Scan, and CSD Interoperability Information
4
AnyConnect Certificate Requirements
The following behavioral changes have been made to server certificate verification:
SSL connections being performed via FQDN no longer make a secondary server certificate verification with
the FQDN's resolved IP address for name verification if the initial verification using the FQDN fails.
the FQDN's resolved IP address for name verification if the initial verification using the FQDN fails.
IPsec and SSL connections require that if a server certificate contains Key Usage, the attributes must contain
DigitalSignature AND (KeyAgreement OR KeyEncipherment). If the server certificate contains an EKU: for SSL
the attributes must contain serverAuth, and for IPsec the attributes must contain serverAuth OR
ikeIntermediate. Note that server certificates are not required to have a KU or an EKU to be accepted.
DigitalSignature AND (KeyAgreement OR KeyEncipherment). If the server certificate contains an EKU: for SSL
the attributes must contain serverAuth, and for IPsec the attributes must contain serverAuth OR
ikeIntermediate. Note that server certificates are not required to have a KU or an EKU to be accepted.
IPsec connections perform name verification on server certificates. The following rules are applied for the
purposes of IPSec name verification:
purposes of IPSec name verification:
—
If a Subject Alternative Name extension is present with relevant attributes, name verification is performed
solely against the Subject Alternative Name. Relevant attributes include DNS Name attributes for all
certificates, and additionally include IP address attributes if the connection is being performed to an IP
address.
solely against the Subject Alternative Name. Relevant attributes include DNS Name attributes for all
certificates, and additionally include IP address attributes if the connection is being performed to an IP
address.
—
If a Subject Alternative Name extension is not present, or is present but contains no relevant attributes,
name verification is performed against any Common Name attributes found in the Subject of the certificate.
name verification is performed against any Common Name attributes found in the Subject of the certificate.
—
If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the first
(left-most) subdomain only, and additionally must be the last (right-most) character in the subdomain. Any
wildcard entry not in compliance is ignored for the purposes of name verification.
(left-most) subdomain only, and additionally must be the last (right-most) character in the subdomain. Any
wildcard entry not in compliance is ignored for the purposes of name verification.
Increased Security in the AnyConnect Pre-deploy Package
The AnyConnect pre-deploy VPN package previously installed the VPN WebLaunch ActiveX control by default.
Starting in AnyConnect 3.1, installation of the VPN ActiveX control is turned off by default. This change was made
to favor the most secure configuration as the default behavior.
Starting in AnyConnect 3.1, installation of the VPN ActiveX control is turned off by default. This change was made
to favor the most secure configuration as the default behavior.
When pre-deploying the AnyConnect Client and Optional Modules, if you require the VPN ActiveX control to be
installed with AnyConnect, you must use the NOINSTALLACTIVEX=0 option with msiexec or a transform. For
example, on one line enter:
installed with AnyConnect, you must use the NOINSTALLACTIVEX=0 option with msiexec or a transform. For
example, on one line enter:
msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive NOINSTALLACTIVEX=0 /lvx*
Important AnyConnect, Host Scan, and CSD
Interoperability Information
Interoperability Information
We always recommend that you upgrade to the latest Host Scan engine version.
Note:
AnyConnect will not establish a VPN connection when used with an incompatible version of Host Scan or
CSD. Ensure that you are running the version of HostScan that is the same version as AnyConnect.
Note:
If you cannot upgrade AnyConnect and Host Scan or AnyConnect and CSD at the same time, upgrade Host
Scan or CSD first, then upgrade AnyConnect.
Deprecation of CSD
Cisco dropped support for the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and
Host Emulation Detection features of CSD in Nov 2012. For more information, see the deprecation field notice
“
Host Emulation Detection features of CSD in Nov 2012. For more information, see the deprecation field notice
“