On Sun, 2013-12-08 at 23:35 +0800, Karl wrote: > certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem > Chain verification output: Verified. The certificate is trusted. > > I found it quite different between iOS and Android AnyConnect client, > both failed to connect, but Android looks go further, iOS always > prompts username, Android will prompt password after input username. > Android client's log: http://pastebin.com/VxubQJQv That client would only work with the ocserv version in the repository. > iOS client's log: http://pastebin.com/XNYK6iRk Here I see the following on the client's connection: > ocserv[13876]: TLS[<4>]: REC[0x87d11c0]: Alert[2|46] - Unknown certificate - was received Meaning that the client alerted that it doesn't like (trust) the server certificate. Could that be the issue? > ocserv[13879]: TLS[<2>]: ASSERT: cert.c:1094 > ocserv[13879]: [MYIP]:55974 error verifying client certificate The client sent no certificate for some reason. That most likely would be (a) because of the reason above, or (b) because the ca-cert set doesn't match the client's issuer CA. I'd suggest to use the version in git as well, and try capturing the traffic with wireshark and send it to me (also the client's certificate). With that I could rule out case b. regards, Nikos
