Hi, I'm trying to connect to a OpenConnect server running on CentOS 7 on a remote Digital Ocean VM (this is set up purely for experimenting/learning purposes). For the sake of simplicity, I've disabled SELinux and the firewall on the VM. I'm using Fedora 20 as the client and attempting to set up a connection using Network Manager. I'm using a self-signed CA from which I've generated the server certificate and key and the client certificate and key. This was all done on openssl as opposed the gnutls in the example on your website - I hope that doesn't make a difference. Unfortunately, I'm getting the message below when I run the server in a terminal with debugging enabled. Does it mean anything to anyone? The lines that concern me are the ones about obtaining the username. The subject of the client certificate is:- subject= /C=GB/ST=West Yorkshire/L=Otley/O=Gareth Williams/OU=OpenConnectClient/CN=gareth/emailAddress=gareth at xxxxxxxxxxxxxx.me.uk which I extracted using openssl x509 -in <cert> -noout -subject The CN is 'gareth' and that's a user on the VM. I'm not 100% certain I understand what that should be as I'm not logging in with a username/password. ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Host: xxxxxxxxxxxxxx.me.uk [0/1333] ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: User-Agent: OpenConnect VPN Agent (NetworkManager) v6.00 ocserv[5011]: worker: xx.xxx.65.223:51482 User-agent: 'OpenConnect VPN Agent (NetworkManager) v6.00' ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Accept: */* ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Accept-Encoding: identity ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: X-Transcend-Version: 1 ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP GET / ocserv[5011]: TLS[<2>]: ASSERT: dn.c:239 ocserv[5011]: worker: xx.xxx.65.223:51482 worker-auth.c:397: cannot obtain user from certificate DN: The given memory buffer is too short to hold parameters. ocserv[5011]: worker: xx.xxx.65.223:51482 worker-auth.c:765: cannot get username ((null)) from certificate ocserv[5011]: worker: xx.xxx.65.223:51482 cannot obtain certificate information ocserv[5011]: TLS[<2>]: ASSERT: gnutls_buffers.c:613 ocserv[5011]: TLS[<4>]: REC: Sending Alert[1|0] - Close notify ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Preparing Packet Alert(21) with length: 2 and target length: 2 ocserv[5011]: TLS[<9>]: ENC[0x1b02db0]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1 ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Sent Packet[2] Alert(21) in epoch 1 and length: 37 ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Start of epoch cleanup ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: End of epoch cleanup ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Epoch #1 freed ocserv[5008]: main: xx.xxx.65.223:51482 main-misc.c:414: command socket closed ocserv[5008]: main: xx.xxx.65.223:51482 removing client '' with id '5011' Can anyone give me some guidance as to where I've gone wrong? Thanks in advance, Gareth
