certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem Chain verification output: Verified. The certificate is trusted. I found it quite different between iOS and Android AnyConnect client, both failed to connect, but Android looks go further, iOS always prompts username, Android will prompt password after input username. Android client's log: http://pastebin.com/VxubQJQv iOS client's log: http://pastebin.com/XNYK6iRk On Sun, Dec 8, 2013 at 3:41 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, 2013-12-08 at 03:53 +0800, Karl wrote: >> Yes, sure, ca-cert set, log shows "[main] processed 1 CA >> certificate(s)", and the cert-user-oid set to use CN too, but no luck. > > Try verifying the certificate that is sent by the client manually using > certtool and the CA file. What is the output? If it is verified > correctly try enabling debugging (--tls-debug) in ocserv to pin-point > the issue, and if it is not obvious send the relevant parts of the log > here. > > As I see you error is not a verification failure, but a failure of the > verification function which is quite uncommon. > > regards, > Nikos > >