On Wed, 2014-11-05 at 11:50 +0100, Nikos Mavrogiannopoulos wrote: > On Wed, Nov 5, 2014 at 10:48 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > >> I tested this by editing the wrapperscript and adding an 'echo > >> "Arguments: $ARGS" >> /tmp/foo' . It seems the wrapperscript isnt > >> being run at all on the cases where it is not working cause nothing is > >> being written to /tmp/foo . When its working it looks like this: > >> -log debug -ticket "XXXXXXXXX" -stub "0" -group "" -host > >> "https://vpn.xyz.com/CACHE"; -certhash "XXXXXXXXX:? > >> ??ef?,?K^z??11T??D " > > That -certhash argument looks horribly wrong. This ought to fix it but I > > can't easily test because for me, gnutls_certificate_get_ours() is > > returning failure (both for file and PKCS#11 certs). Got to run now; > > will hassle Nikos about that later :) > > That prompted me to add a unit test and realized it works ok. My > understanding of the cisco server is that it requires and asks the > certificate once, on the first connection to the server (i.e., the one > that gets the cookie). After that you can establish new ssl > connections with the cookie without the certificate. Could that issue > be because of that (e.g., no hash to supply to the script)? Yeah, I'm just looking at it now. If we *do* get asked for the client cert, then gnutls_certificate_get_ours() returns it. If we happen to have *not* been asked for the certificate on the latest connection to the server, then gnutls_certificate_get_ours() doesn't do what we want. I think I need a way to return the hash of the certificate which we *would* have offered, if the server had asked for it. Which might mean precalculating it in our load_certificate() function. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141105/e538df8a/attachment.bin>
