AnyConnect Secure Mobility Client (ACSMC) failed to connect to ocserv with certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, All,

I've installed ocserv 0.8.9 on Debian 7 with the authentication of 
"user/pass", and it worked OK with the following clients:
    Win 7     -- Cisco AnyConnect Secure Mobility Client (ACSMC) v3.1
    iOS 7     -- Cisco AnyConnect v3.0
    Android 4 -- OpenConnect v1.0.2

Then I changed the authentication to "certificate".  So I made the 
client certificate and then verified it OK.  Then converted it to *.p12 
format with the following command:
[ openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile 
ca-cert.pem -out user-cert.p12 ]

After importing the *.p12 certificate, the clients for iOS and Android 
worked OK but ACSMC on win7 failed.

##### ocserv.conf #####
auth = "certificate"
max-clients = 16
max-same-clients = 2
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 180
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
ca-cert = /etc/ssl/certs/ca-cert.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
mobile-idle-timeout
cookie-timeout = 86400000
rekey-time = 86400000
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nogroup
net-priority = 5
cgroup = "cpuset,cpu:test"
device = vpns
default-domain = example.com
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 208.67.222.222
ping-leases = false
output-buffer = 10
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat =true
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"
user-profile = /etc/ocserv/profile/profile.xml   #copied from sample doc
##### END #####

##### syslog #####
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[4155]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[4155]: main: initialized ocserv 0.8.9
ocserv[4156]: sec-mod: sec-mod initialized (socket: 
/var/run/ocserv-socket.4155)
ocserv[4156]: sec-mod: received request from pid 4155 and uid 0
ocserv[4156]: sec-mod: cmd [size=55] sm: sign
ocserv[4155]: main: processed 1 CA certificate(s)
ocserv[4155]: main: putting process 4157 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open: 
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4157]: worker: *.*.*.*:49253 accepted connection
ocserv[4156]: sec-mod: received request from pid 4157 and uid 65534
ocserv[4156]: sec-mod: cmd [size=40] sm: sign

ocserv[4157]: GnuTLS error (at worker-vpn.c:749): The TLS connection was 
non-properly terminated.

ocserv[4155]: main: *.*.*.*:49253 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49253 removing client '' with id '4157'
ocserv[4155]: main: putting process 4158 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open: 
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4158]: worker: *.*.*.*:49254 accepted connection
ocserv[4156]: sec-mod: received request from pid 4158 and uid 65534
ocserv[4156]: sec-mod: cmd [size=40] sm: sign

ocserv[4158]: worker: *.*.*.*:49254 tlslib.c:372: error verifying client 
certificate: No certificate was found.

ocserv[4158]: worker: *.*.*.*:49254 sending message 'resume data store 
request' to main
ocserv[4155]: main: *.*.*.*:49254 main received message 'resume data 
store request' of 277 bytes
ocserv[4155]: main: *.*.*.*:49254 TLS session DB storing 
686ddc63ffb32dbaae7b8f3161837f74f7eba7c219fcbd32de3f436b55211abe
ocserv[4158]: worker: *.*.*.*:49254 TLS handshake completed
ocserv[4155]: main: *.*.*.*:49254 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49254 removing client '' with id '4158'
ocserv[4155]: main: putting process 4159 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open: 
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4159]: worker: *.*.*.*:49255 accepted connection
ocserv[4159]: worker: *.*.*.*:49255 sending message 'resume data fetch 
request' to main
ocserv[4155]: main: *.*.*.*:49255 main received message 'resume data 
fetch request' of 34 bytes
ocserv[4155]: main: *.*.*.*:49255 TLS session DB resuming 
686ddc63ffb32dbaae7b8f3161837f74f7eba7c219fcbd32de3f436b55211abe
ocserv[4155]: main: *.*.*.*:49255 sending message 'resume data fetch 
reply' to worker
ocserv[4159]: worker: *.*.*.*:49255 tlslib.c:372: error verifying client 
certificate: No certificate was found.
ocserv[4159]: worker: *.*.*.*:49255 TLS handshake completed
ocserv[4159]: worker: *.*.*.*:49255 User-agent: 'AnyConnect Windows 
3.1.06073'
ocserv[4159]: worker: *.*.*.*:49255 cannot find 'group-select' in client 
XML message
ocserv[4159]: worker: *.*.*.*:49255 cannot find 'group-select' in client 
XML message
ocserv[4159]: worker: *.*.*.*:49255 failed reading groupname
ocserv[4159]: worker: *.*.*.*:49255 no certificate provided for 
authentication
ocserv[4155]: main: *.*.*.*:49255 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49255 removing client '' with id '4159'
##### END #####

It seemed that ACSMC on win7 didn't recognize the certificate (imported 
via 'mmc' command, the same way for strongSwan certificate which works OK).

Any recommendations would be really appreciated.  Thanks in adv.


regards,
Tefeng
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux