I was looking for a way to disable the setting of «Trusted Servers» on my Cisco AnyConnect Secure Mobility Client Version (version 4.7.00136) specifically.

Through the graphical user interface is easy to change, but ¿where is stored that configuration?

AnyConnect client v. 4.7

AnyConnect client v. 4.7

The «three profile» settings

At first I went to /opt/cisco/anyconnect/profile/ANYCONNECT_Client_Profile.xml because there was stored the value of the server to connect under the <HostAddress> tag, but no clue for any «Untrusted Setting».

After changing the setting through the GUI the file /opt/cisco/anyconnect/.anyconnect_global was touched but nothing changed on it.

Finally I found that the setting was being stored in my user at /home/myuser/.anyconnect with the tag <BlockUntrustedServers>

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName></DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<BlockUntrustedServers>true</BlockUntrustedServers></ControllablePreferences>
</AnyConnectPreferences>

¿How I found it was that file?

First I’ve investigated which binaries had something to do with «Block», the binary in charge of it was vpn:

root@lubuntu:/opt/cisco# strings anyconnect/bin/vpn |grep -i block
_ZN9ClientIfc22setCertBlockedResponseEb
usage: block [0|1]
block
Blocks untrusted servers with 1 and allow untrusted servers with 0.
state block cancel

Then I executed the binary with the parameters to change the setting using a strace to see which files were called:

root@lubuntu:/opt/cisco# strace anyconnect/bin/vpn block 0
execve("anyconnect/bin/vpn", ["anyconnect/bin/vpn", "block", "0"], [/* 18 vars */]) = 0
brk(NULL)                               = 0x55771f816000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa01f322000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/opt/cisco/anyconnect/lib/tls/x86_64/libvpnapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/opt/cisco/anyconnect/lib/tls/x86_64", 0x7fff5f86bcc0) = -1 ENOENT (No such file or directory)
stat("/home/myuser", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/home/myuser.anyconnect", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
write(8, "<?xml version=\"1.0\" encoding=\"UT"..., 649) = 649

It tried to open several files but wrote in one that called my attention:

stat("/home/myuser", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/home/myuser.anyconnect", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

After checking its content it was clear that the setting was stored there.

The real question is ¿why the client stores the information of the url you are connecting in one profile settings under /opt and then saving the other setting in your /home/user/ file?

That has not any sense, but well, at least I was able to change it.