On Thu, 2016-06-02 at 23:25 -0700, Bill Broadley wrote: > Greetings, > > I'm using ubuntu-16.04 which defaults to OpenSSL-1.0.2g. > > I built OpenConnect from git tonight, installed all the optional? > dependencies except for LIBPSKC. I'd recommend using GnuTLS instead of OpenSSL. > I'm trying to get OpenConenct to work instead of the pulse client. > > The pulse instructions: > 1) Download Pulse 8.1R7 > 2) download the example.com.der certificate This isn't a personal certificate (which would have a corresponding private key), issued to you personally, is it? It's "This is the certificate which identifies our VPN server; download it because the VPN server doesn't have a *proper* certificate that's signed by one of the known public CAs." > OpenConnect didn't seem to like the der cert, so I: > $ openssl x509 -inform der -in vpn.example.com.der -out vpn.example.com.pem > > Then tried (using example.com to keep site specific details to the minimum): > > # ./openconnect --proto=nc?--certificate=/home/bill/Downloads/vpn.example.com.pem? > https://vpn.example.com > GET https://vpn.example.com/ > Connected to 109.108.107.106:443 > Using client certificate?'/C=US/postalCode=90210/ST=CA/L=Hollywood/street/OU=Library/CN=vpn.example.com' > Using client certificate?'/C=US/postalCode=90210/ST=CA/L=Hollywood/street 5th Ave/O=Example?corp/OU=Library/CN=vpn.example.com' > Failed to identify private key type in?'/home/bill/Downloads/vpn.example.com.pem' Right, that really does look like it's the *server's* certificate. So you'd want to use that with '--cafile vpn.example.com.pem'. Although I don't see a complaint in your log that the server's certificate wasn't accepted, so you might not need it. > I got similar with openconnect --juniper --certificate: > Connected to 109.108.107.106:443 > SSL negotiation with vpn.example.com > SSL connection failure > > If I add --certificate I get the same private key error as above. That example was *without* --certificate then, yes? Using the stock OpenConnect 7.06 (using GnuTLS) on Fedora 24, it works for me when I connect to what I think is your 'vpn.example.com'... $ openconnect --juniper vpn.example.com WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://vpn.example.com/ Attempting to connect to server x.x.x.x:443 SSL negotiation with vpn.example.com Server certificate verify failed: signer not found Certificate from VPN server "vpn.example.com" failed verification. Reason: signer not found Enter 'yes' to accept, 'no' to abort; anything else to view: ^C $ openconnect --juniper vpn.example.com --cafile vpn.example.com.pem WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://vpn.example.com/ Attempting to connect to server x.x.x.x:443 SSL negotiation with vpn.example.com Connected to HTTPS on vpn.example.com Got HTTP response: HTTP/1.1 302 Found GET https://vpn.example.com/dana-na/auth/url_3/welcome.cgi SSL negotiation with vpn.example.com Connected to HTTPS on vpn.example.com frmLogin username: At this point if I had a username and password it looks like I should be able to proceed and get at least Legacy IP connectivity (we need to implement the Pulse protocol before we get IPv6). > My end goal is to get a Puppet managed OpenConnect working for linux? > clients that enables IPv4 and IPv6. You'll be using NetworkManager, I assume? So Puppet would be poking the NM configuration into place with 'nmcli con add ...'? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5760 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160603/edac08ed/attachment.bin>
