Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
6
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.0
Important AnyConnect, CSD, and Host Scan Interoperability Information
•
SSL and IPSec connections from the AnyConnect client to the secure gateway being performed
using the FQDN of the secure gateway will no longer make a secondary server certificate
verification with the FQDN's resolved IP address for name verification, if the initial verification
using the FQDN fails.
using the FQDN of the secure gateway will no longer make a secondary server certificate
verification with the FQDN's resolved IP address for name verification, if the initial verification
using the FQDN fails.
•
SSL and IPSec connections from the AnyConnect client to the secure gateway require server
certificates to contain Key Usage attributes of Digital Signature and Key Encipherment.
certificates to contain Key Usage attributes of Digital Signature and Key Encipherment.
•
SSL connections from the AnyConnect client to the secure gateway require server certificates to
contain an Enhanced Key Usage attribute of Server Authentication.
contain an Enhanced Key Usage attribute of Server Authentication.
•
IPSec connections from the AnyConnect client to the secure gateway require server certificates to
contain an Enhanced Key Usage attribute of Server Authentication or IKE Intermediate.
contain an Enhanced Key Usage attribute of Server Authentication or IKE Intermediate.
Note
Note that server certificates not containing a Key Usage will be considered invalid for all
Key Usages, and similarly server certificates not containing an Enhanced Key Usage will be
considered invalid for all Enhanced Key Usages.
Key Usages, and similarly server certificates not containing an Enhanced Key Usage will be
considered invalid for all Enhanced Key Usages.
•
In this release of AnyConnect, IPSec connections from the AnyConnect client to the secure gateway
now perform name verification on server certificates. The following rules will be applied for the
purposes of both IPSec and SSL name verification:
now perform name verification on server certificates. The following rules will be applied for the
purposes of both IPSec and SSL name verification:
–
If a Subject Alternative Name extension is present with relevant attributes, name verification
will be performed solely against the Subject Alternative Name. Relevant attributes include DNS
Name attributes for all certificates, and additionally include IP address attributes if the
connection is being performed to an IP address.
will be performed solely against the Subject Alternative Name. Relevant attributes include DNS
Name attributes for all certificates, and additionally include IP address attributes if the
connection is being performed to an IP address.
–
If a Subject Alternative Name extension is not present, or is present but contains no relevant
attributes, name verification will be performed against any Common Name attributes found in
the Subject of the certificate.
attributes, name verification will be performed against any Common Name attributes found in
the Subject of the certificate.
–
If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the
first (far left) subdomain only, and additionally must be the last (far right) character in the
subdomain. Any wildcard entry not in compliance will be ignored for the purposes of name
verification.
first (far left) subdomain only, and additionally must be the last (far right) character in the
subdomain. Any wildcard entry not in compliance will be ignored for the purposes of name
verification.
Changes to Client Certificate Verification
AnyConnect releases 3.0.08057 through 3.0.10055 inadvertently required specific values in the EKU
field of a client certificate in order for it to be used to establish a VPN connection. Consequently, client
certificates issued from an ASA CA were not being used by AnyConnect to establish a VPN connection.
This bug, CSCuc07598, was fixed in 3.0.10057.
field of a client certificate in order for it to be used to establish a VPN connection. Consequently, client
certificates issued from an ASA CA were not being used by AnyConnect to establish a VPN connection.
This bug, CSCuc07598, was fixed in 3.0.10057.
In releases earlier than 3.0.08057 and in release 3.0 10057 and later, these client certificates can be used
to successfully establish a VPN connection.
to successfully establish a VPN connection.
Important AnyConnect, CSD, and Host Scan Interoperability
Information
Information
AnyConnect 3.0.10057 and later is compatible with Host Scan 3.0.08057 or later versions and CSD
3.6.6020 or later versions.
3.6.6020 or later versions.