On Thu, Apr 9, 2015 at 10:05 AM, Sebastien Canart <sebastien.canart at onprvp.fgov.be> wrote: > Hello, > The command that I'm currently using (I need to go through our internal > proxy): > # openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic > -c 'pkcs11:model=PKCS%2315;mycert[...];object-type=cert' vpnserver [...] > From the error I'm getting (Error signing test data with private key: > PKCS #11 > unsupported feature), I'm guessing that the error is coming directly > from gnutls. The error is from the PKCS #11 library (I guess it is opensc) and probably the card itself. Do you see any difference in "p11tool --list-mechanisms" with the new and old card? It may be that the new key is not allowed to sign using RSA-PKCS. You can verify whether signing works with pkcs11-tool (from opensc) using something like: pkcs11-tool --module /path/to/opensc-pkcs11.so -s -M pkcs11-tool --module /path/to/opensc-pkcs11.so -s -m RSA-PKCS --id 02 regards, Nikos
