Hi, I've had trouble connecting to a VPN using openconnect since some unknown change either on the server side (new certificate) or the client side (updated ca-certificates package maybe), I haven't been able to figure this out. Basically, the symptoms are an SSL connection failure in openconnect: > Using client certificate 'My name' > Got no issuer from PKCS#11 > SSL negotiation with vpn.host.tld > Connected to HTTPS on vpn.host.tld > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/html; charset=utf-8 > Transfer-Encoding: chunked > Cache-Control: no-cache > Pragma: no-cache > Connection: Keep-Alive > Date: Fri, 28 Apr 2017 08:14:48 GMT > X-Frame-Options: SAMEORIGIN > X-Aggregate-Auth: 1 > HTTP body chunked (-2) > POST https://vpn.host.tld/ > SSL negotiation with vpn.host.tld > SSL connection failure: PKCS #11 error. > Failed to open HTTPS connection to vpn.host.tld > Failed to obtain WebVPN cookie > I also tried it using the AnyConnect client for Linux and it would also say "Certificate validation error". So after much ranting and giving up for a while, I retried today and found a working solution for the AnyConnect client here: http://blog.bstpierre.org/fixing-certificate-errors-with-cisco-anyconnect The server certificate for vpn.host.tld is signed by the DigiCert CA: > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 > Extended Validation Server CA So I exported the .pem from Firefox's certificates to /opt/.cisco/certificates and with that, the AnyConnect client started working. I tried the same with openconnect, in two ways: 1) Copying the pem to /etc/ssl/certs/ and 2) Specifying it directly passing the --cafile parameter to openconnect > openconnect -v --no-system-trust > --cafile=/etc/ssl/certs/DigiCert_SHA2_Extended_Validation_Server_CA.pem > --script /root/vpnc-script -c 'pkcs11:model=Classic?' https://vpn.host.tld ? but to no avail. Does someone have an idea why the above-mentioned solution would work for the anyconnect client, but not for openconnect? Best regards, David -- TenTwentyFour S.? r.l. W: www.tentwentyfour.lu T: +352 20 211 1024 F: +352 20 211 1023 9 av. des Hauts-Fourneaux 4362 Esch-sur-Alzette -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170428/ac74a282/attachment.sig>
