A simple implementation of a CSD-Wrapper as required for OpenConnect to comply with Cisco AnyConnect "hostscan" policies.

csd-wrapper.sh

#!/bin/bash

unset URL TICKET STUB GROUP CERTHASH LANGSELEN
shift
while [ "$1" ]; do
    if [ "$1" == "-ticket" ];    then shift; TICKET=$1; fi
    if [ "$1" == "-stub" ];      then shift; STUB=$1; fi
    if [ "$1" == "-group" ];     then shift; GROUP=$1; fi
    if [ "$1" == "-certhash" ];  then shift; CERTHASH=$1; fi
    if [ "$1" == "-url" ];       then shift; URL=$1; fi
    if [ "$1" == "-langselen" ]; then shift; LANGSELEN=$1; fi
    shift
done

case "$(uname -s)" in
  Darwin)
    MD5="md5"
    ARCH="darwin_i386"
  ;;
  Linux)
    MD5="md5 --tag"
    [ "$(uname -m)" == "x86_64" ] && ARCH="linux_x64" || ARCH="linux_i386"
  ;;
esac

HOSTSCAN_DIR="$HOME/.cisco/hostscan"
mkdir -p $HOSTSCAN_DIR/{bin,lib}

FILE_URL="${URL//\"/}/sdesktop/hostscan/$ARCH"
echo "Manifest URL: $FILE_URL/manifest"
curl -s "$FILE_URL/manifest" | while read line; do
  file="${line#*(}" file="${file%)*}" sum="${line##* }"
  [[ "$file" =~ \.(dylib|so|dat)$ ]] && filetype=lib || filetype=bin
  cd "$HOSTSCAN_DIR/$filetype"
  if [ -f "$file" ] && [ "$($MD5 $file)" == "$line" ]; then
    echo "$file is up to date."
  else
    echo "downloading $file"
    if curl -Ifs "$FILE_URL/$file.gz" > /dev/null; then
      curl -s "$FILE_URL/$file.gz" | gunzip > "$file"
    else
      curl -s "$FILE_URL/$file" > "$file"
    fi
  fi
  [ "$filetype" == "bin" ] && chmod 755 "$file"
done

# Launch "cstub"
cd $HOSTSCAN_DIR/bin
#ARGS="-log debug -ticket $TICKET -stub $STUB -group $GROUP -url $URL -certhash $CERTHASH"
ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -url $URL -certhash $CERTHASH"
echo "Launching: $(pwd)/cstub $ARGS"
./cstub $ARGS

Just wanted to remind people, that OpenConnect includes a csd-wrapper.sh as well as a csd-post.sh script these days: https://gitlab.com/openconnect/openconnect/tree/master/trojans

For obvious reasons (see below) it's recommended to use csd-post.sh if possible!

From the official OpenConnect documentation:

The OpenConnect distribution includes two alternative scripts to support the execution or spoofing of the CSD behaviour, in the trojans/ subdirectory:

• csd-wrapper.sh: This script accepts the same options as some versions of the CSD trojan binary, (-ticket, -stub, -group, -certhash, -url, -langselen), downloads the files required by the binary, and then wraps the execution of the cstub binary. Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed with the permissions of a low-privilege user (e.g. --csd-user=nobody --csd-wrapper=trojans/csd-wrapper.sh).
• csd-post.sh: This script does not actually run the CSD trojan binary. Instead, it emulates the behaviour of the CSD trojan, creating a plaintext report similar to the one that the CSD trojans build, and uploading it to the server sent by the VPN gateway. The report may need to be customized in order to be accepted by some servers; the hostscan-bypass tool may help with this. Because this script does not actually execute a trojan binary, and because its complete output is easily visible in the script, the security concerns are greatly alleviated.

Hey! Saw some traffic coming to the hostscan-bypass from this gist. I just wanted to add on to what salim-b was saying. The hostscan-bypass creates a customized csd file for your environment. If you have access to a machine that you know works, you are able to MITM the exact values it uses to authenticate to the VPN endpoint. If the included csd wrappers are not working, hostscan-bypass will.

Thanks @salim-b, looks like Daniel has addressed a few of the issues that kept me from using Nikolay's original csd-wrapper.sh script, and added some additional useful features, so my variation may be unneeded at this point.

Also, the csd-post.sh workaround is certainly useful in some cases where you don't want to execute the trojans at all, but it is nice that openconnect now provides all of those scripts as options to the end-user, so they can select what is appropriate for their scenario.

OpenConnect official script doesn't work for Mac. My version does.
https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93

(as I only used the script and read the comments after it was working ...)

csd-wrapper.sh
#md5 is not a command in a Redhat derived Linux.

Linux)
MD5="md5 --tag"

should be
Linux)
MD5="md5sum --tag"

I had to locate cstub already in the /opt/cisco directory, copy to my local user.

For completeness:

sudo openconnect --user=<vpn_user> --csd-user= --csd-wrapper=/home//.cisco/csd-wrapper.sh

In my corp system the "Refreshing +CSCOE+/sdesktop/wait.html after 1 second...." takes about 50 seconds, so patience ...

Found my way here after my Corp connect stopped working 2 weeks ago (CISCO GUI Policy error) then I dropped to cmdline to use openconnect, more feedback, searching ... got to the end with this GIST.

Thanks.