(it may be a while before I get to testing that new version of libp11) I finally got an OpenConnect RPM built that will install on my EL6 system. But, no matter what pkcs11 URL I tried, it fails to load the certificate after I enter my PIN. To rule out any nuances with EL6, I installed OpenConnect on a CentOS 7 VM, and I'm getting the same error! I'm following the how-to from here: http://jonathonreinhart.blogspot.com/2015/01/connecting-to-cisco-asa-vpn-with-dod.html # p11tool --list-all-certs pkcs11:model=;manufacturer=;serial=;token=HERNANDEZ.OLIVER.xxxx.xxxx gives me in the output the certificate I need to use to authenticate with, the second one listed: Object 1: URL: pkcs11:model=;manufacturer=;serial=;token=HERNANDEZ.OLIVER.xxx.xxxxxx;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert Type: X.509 Certificate Label: CAC Email Signature Certificate ID: 00:02 And the result of attempting to connect: # openconnect --no-cert-check -c 'pkcs11:token=HERNANDEZ.OLIVER.xxx.xxxxx;id=%02' foo.remotevpn.com POST https://foo.remotevpn.com/ Attempting to connect to server 111.222.33.44:443 PIN required for HERNANDEZ.OLIVER.xxx.xxxxx Enter PIN: Error loading certificate from PKCS#11: The requested data were not available. Loading certificate failed. Aborting. Failed to open HTTPS connection to foo.remotevpn.com Failed to obtain WebVPN cookie # Thanks! On Mon, Jul 11, 2016 at 3:31 AM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > I've pushed the latest version of libp11 for el6. To speed this > inclusion, please leave some karma at: > https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce3a833dca > > On Fri, Jul 8, 2016 at 1:40 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> On Fri, 2016-07-08 at 10:24 +0100, David Woodhouse wrote: >>> On Fri, 2016-07-08 at 10:53 +0200, Nikos Mavrogiannopoulos wrote: >>> > On Thu, Jul 7, 2016 at 11:20 PM, Oliver Hernandez >>> > <mr.oliver.hernandez at gmail.com> wrote: >>> > > I now have a need to connect to a Cisco VPN that authenticates with a >>> > > PKCS Smart Card. This EL6 build of OpenConnect does not have the >>> > > PKCS#11 support. Any chance there's an EL6 version of OpenConnect 7 >>> > > built with PKCS#11 support? Thanks! >>> > >>> > No the libraries there are too old. You'll have to use RHEL7. >>> >>> Don't we just need to package libp11 for EPEL6? >> >> I made a scratch build of libp11 for EL6: >> https://koji.fedoraproject.org/koji/taskinfo?taskID=14819597 >> >> I installed this (and p11-kit-devel) on a CentOS 6 VM and built >> OpenConnect. It seems to work. >> >> -- >> dwmw2
