Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,


I've had trouble connecting to a VPN using openconnect since some
unknown change either on the server side (new certificate) or the client
side (updated ca-certificates package maybe), I haven't been able to
figure this out.

Basically, the symptoms are an SSL connection failure in openconnect:

> Using client certificate 'My name'
> Got no issuer from PKCS#11
> SSL negotiation with vpn.host.tld
> Connected to HTTPS on vpn.host.tld
> Got HTTP response: HTTP/1.1 200 OK
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Cache-Control: no-cache
> Pragma: no-cache
> Connection: Keep-Alive
> Date: Fri, 28 Apr 2017 08:14:48 GMT
> X-Frame-Options: SAMEORIGIN
> X-Aggregate-Auth: 1
> HTTP body chunked (-2)
> POST https://vpn.host.tld/
> SSL negotiation with vpn.host.tld
> SSL connection failure: PKCS #11 error.
> Failed to open HTTPS connection to vpn.host.tld
> Failed to obtain WebVPN cookie
>
I also tried it using the AnyConnect client for Linux and it would also
say "Certificate validation error".

So after much ranting and giving up for a while, I retried today and
found a working solution for the AnyConnect client here:
http://blog.bstpierre.org/fixing-certificate-errors-with-cisco-anyconnect

The server certificate for vpn.host.tld is signed by the DigiCert CA:

> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
> Extended Validation Server CA

So I exported the .pem from Firefox's certificates to
/opt/.cisco/certificates and with that, the AnyConnect client started
working.

I tried the same with openconnect, in two ways:

1) Copying the pem to /etc/ssl/certs/ and

2) Specifying it directly passing the --cafile parameter to openconnect

> openconnect -v --no-system-trust
> --cafile=/etc/ssl/certs/DigiCert_SHA2_Extended_Validation_Server_CA.pem
> --script /root/vpnc-script -c 'pkcs11:model=Classic?' https://vpn.host.tld

? but to no avail.

Does someone have an idea why the above-mentioned solution would work
for the anyconnect client, but not for openconnect?


Best regards,
David

-- 
TenTwentyFour S.? r.l.
W: www.tentwentyfour.lu
T: +352 20 211 1024
F: +352 20 211 1023
9 av. des Hauts-Fourneaux
4362 Esch-sur-Alzette


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170428/ac74a282/attachment.sig>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux