tls: failed to parse private key

[tsunamaru]

Trying to connect my AnyConnect linux client to running hostscan-bypass cause tls: failed to parse private key in hostscan stdout and then timeout error on AnyConnect client (obviously).

My hostscan run command is: sudo go run hostscan-bypass.go -l <my-ip> -p 443 -r <redacted>:443 -s -client-cert cert.pem -client-key cert.key

cert.pem in the following format:

Bag Attributes
    localKeyID: <40 symbols following...> 
subject=/C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
issuer=/DC=<redacted>/DC=<redacted>/CN=<redacted>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----

cert.key:

Bag Attributes
    localKeyID: <same 40 symbols following...> 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
<redacted>
-----END ENCRYPTED PRIVATE KEY-----

Full hostscan-bypass stdout is just

[*] Listening for AnyConnect client connection..
[*] Accepted from: <redacted>:58404
tls: failed to parse private key

Much appreciate if you can help me with this. And thanks for your hard work!

[Gilks]

Not certain why I never got a notification for this but here we are. It looks like you have some extra data sitting at the top of your certs/key. I'm not an encryption expert, so I don't know if that actually matters. Your private key also appears to have different header/footer text. This may be a byproduct of how they were generated. Anyway, here is how your cert/keys should look:

-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
<redacted>
-----END RSA PRIVATE KEY-----

[tsunamaru]

Yeah, my first thoughts was just about that header before actual key. I removed it, but nothing changed. The second thing I tried is convert encrypted RSA key to normal RSA: openssl rsa -in cert.key -out cert.decrypted.key

Decrypted key looks like:

-----BEGIN RSA PRIVATE KEY-----
<redacted>
-----END RSA PRIVATE KEY-----

Still, when I run hostscan-bypass with this decrypted key, and try to connect my AnyConnect client, it starts complain about "untrustworthy gateway" and close connection immidiately.

[Gilks]

Which OS are you trying to MITM?

In your anyconnect client you must uncheck the "block connections to untrustworthy gateways" box. If you check my blog post you'll see a picture of the setting.

On Tue, Jan 26, 2021, 4:07 AM Artem Vetrov notifications@github.com wrote:

Yeah, my first thoughts was just about that header before actual key. I removed it, but nothing changed. The second thing I tried is convert encrypted RSA key to normal RSA: openssl rsa -in cert.key -out cert.decrypted.key

Decrypted key looks like:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY----- Still, when I run hostscan-bypass with this decrypted key, and try to connect my AnyConnect client, it starts complain about "untrustworthy gateway" and close connection immidiately. — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or unsubscribe .

[tsunamaru]

AnyConnect runs inside Ubuntu 20.04 VM, and hostscan-bypass runs on host system (Gentoo Linux). Of course, I checked out your blog post before creating issue, and that box was unchecked right from the beginning.

Here some screenshots inside Ubuntu VM: https://imgur.com/a/qFgS6qr

[Gilks]

It sounds like the Linux AnyConnect is not respecting your choice. There was a similar issue described in the OS X troubleshooting thread (#4). Specifically, this comment.

I won't be able to troubleshoot your specific AnyConnect issue but what I can say is that you are on the right track. Your new private key is working correctly. If you can get Linux/AnyConnect to let you connect to untrusted servers you'll be in the clear.

If you run into trouble finding the root cause then the final thing you can do is put the hostscan-bypass on a legitimate domain with a real SSL cert (letsencrypt). Since the SSL cert is real AnyConnect will trust the connection.