On Wed, Nov 5, 2014 at 10:48 AM, David Woodhouse <dwmw2 at infradead.org> wrote: >> I tested this by editing the wrapperscript and adding an 'echo >> "Arguments: $ARGS" >> /tmp/foo' . It seems the wrapperscript isnt >> being run at all on the cases where it is not working cause nothing is >> being written to /tmp/foo . When its working it looks like this: >> -log debug -ticket "XXXXXXXXX" -stub "0" -group "" -host >> "https://vpn.xyz.com/CACHE"; -certhash "XXXXXXXXX:? >> ??ef?,?K^z??11T??D " > That -certhash argument looks horribly wrong. This ought to fix it but I > can't easily test because for me, gnutls_certificate_get_ours() is > returning failure (both for file and PKCS#11 certs). Got to run now; > will hassle Nikos about that later :) That prompted me to add a unit test and realized it works ok. My understanding of the cisco server is that it requires and asks the certificate once, on the first connection to the server (i.e., the one that gets the cookie). After that you can establish new ssl connections with the cookie without the certificate. Could that issue be because of that (e.g., no hash to supply to the script)? regards, Nikos
