Hi, Exported certs with id 3, 4 and 6 to myca.crt, but no luck: % openconnect -v --cafile ./myca.crt --no-cert-check -c 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02' https://vpn1 Attempting to connect to server x.x.x.x:443 Using PKCS#11 certificate pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=cert;pin-source=openconnect%3a0x1647930 PIN required for BELPIC (Basic PIN) Enter PIN: Using PKCS#11 key pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=private;pin-source=openconnect%3a0x1647930 Using client certificate 'Christof Haerens (Authentication)' SSL negotiation with vpn1 Connected to HTTPS on vpn1 GET https://vpn1/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Tue, 05 Nov 2013 15:21:13 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with vpn1 Connected to HTTPS on vpn1 GET https://vpn1/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure Set-Cookie: ClientCertAuthFailed=1; path=/; secure SSL certificate authentication failed X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Certificate Validation Failure Failed to obtain WebVPN cookie On 11/05/2013 04:14 PM, David Woodhouse wrote: > On Tue, 2013-11-05 at 15:56 +0100, Christof Haerens wrote: >> So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11: >> The ID 04(label CA) I should export and then pass to openconnect with the --cafile option? > That or the 'Root' one. I'd export them *both* and put them in a single > file and use that with the --cafile option. > > If either of them are responsible for signing your personal cert, then > OpenConnect will include them in its SSL negotiation, and that can often > 'help' the server to realise that it actually *does* trust the cert in > question. > > If that's the issue, then perhaps OpenConnect needs to be taught to go > looking for these 'supporting' certs in the PKCS#11 store, as well as > the --cafile. But then again, perhaps GnuTLS ought to do that for > itself. > > Nikos? >
