Tried to check all the possibilities, with no luck. You mean capturing the traffic with wireshark on server side? Is there any simple instruction to do capture work? Thanks. On Mon, Dec 9, 2013 at 2:01 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, 2013-12-08 at 23:35 +0800, Karl wrote: >> certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem >> Chain verification output: Verified. The certificate is trusted. >> >> I found it quite different between iOS and Android AnyConnect client, >> both failed to connect, but Android looks go further, iOS always >> prompts username, Android will prompt password after input username. >> Android client's log: http://pastebin.com/VxubQJQv > > That client would only work with the ocserv version in the repository. > >> iOS client's log: http://pastebin.com/XNYK6iRk > > Here I see the following on the client's connection: >> ocserv[13876]: TLS[<4>]: REC[0x87d11c0]: Alert[2|46] - Unknown > certificate - was received > > Meaning that the client alerted that it doesn't like (trust) the server > certificate. Could that be the issue? > >> ocserv[13879]: TLS[<2>]: ASSERT: cert.c:1094 >> ocserv[13879]: [MYIP]:55974 error verifying client certificate > > The client sent no certificate for some reason. That most likely would > be (a) because of the reason above, or (b) because the ca-cert set > doesn't match the client's issuer CA. > > I'd suggest to use the version in git as well, and try capturing the > traffic with wireshark and send it to me (also the client's > certificate). With that I could rule out case b. > > regards, > Nikos > >