Hi, Nikos, after add Digital Signature, Key Encipherment, Data Encipherment, Certificate Sign, TLS Web Client Authentication to the user cert, it looks *better*, I sent the logs if you have interesting to look. ocserv[20805]: [vpn.server.com]:49540 accepted connection ocserv[20805]: [vpn.server.com]:49540 error verifying client certificate: No certificate was found. ocserv[20799]: sec-mod received request from pid 20805 and uid 65534 ocserv[20805]: [vpn.server.com]:49540 TLS handshake completed ocserv[20805]: [vpn.server.com]:49540 no certificate provided for authentication ocserv[20798]: [vpn.server.com]:49540 command socket closed ocserv[20806]: [vpn.server.com]:49541 accepted connection ocserv[20806]: [vpn.server.com]:49541 sending resumption request (fetch) ocserv[20806]: [vpn.server.com]:49541 error verifying client certificate: No certificate was found. ocserv[20806]: [vpn.server.com]:49541 TLS handshake completed ocserv[20806]: [vpn.server.com]:49541 no certificate provided for authentication ocserv[20798]: [vpn.server.com]:49541 command socket closed ocserv[20807]: [vpn.server.com]:49542 accepted connection ocserv[20807]: [vpn.server.com]:49542 error verifying client certificate: No certificate was found. ocserv[20799]: sec-mod received request from pid 20807 and uid 65534 ocserv[20807]: [vpn.server.com]:49542 TLS handshake completed ocserv[20798]: [vpn.server.com]:49542 command socket closed On Tue, Dec 10, 2013 at 3:48 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Mon, Dec 9, 2013 at 11:04 PM, Karl <weeker at outlook.com> wrote: >> That works great on Android now. Thanks, Nikos. >> >> On iOS client, it still fails at infinite username prompt, log: >> >> ocserv[14809]: [MYIP]:61337 accepted connection >> ocserv[14809]: GnuTLS error (at worker-vpn.c:571): The TLS connection >> was non-properly terminated. >> ocserv[14807]: [MYIP]:61337 command socket closed >> >> tls-debug log: http://pastebin.com/9SAjZJ79 >> iOS client complains : No valid certificates available for >> authentication. Which Cisco doc said: "The secure gateway did not >> accept any of the certificates AnyConnect provided. No more >> certificates remain." > > Well, I cannot tell much from the log as I don't know to which gnutls > version it corresponds to. However what I see there is the client > receiving the certificate request and (possibly) bailing out. That > could mean that the client didn't like the CA certificate that was > sent be the server (possibly it didn't correspond to its client > certificate?). Is there debugging output available on the ios client? > > regards, > Nikos -------------- next part -------------- A non-text attachment was scrubbed... Name: Logs2013-12-11iPhone03_42_59.zip Type: application/zip Size: 4522 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131211/2e0aa5b9/attachment.zip>
