On Fri, 2017-12-01 at 12:58 +0100, Union wrote: > > In the past I could successfully connect with the pfx certificate to > the ASA server with openconnect. > > But last couple of weeks this doesn't work anymore. It seems > connection is established, but at the end, it just throw out the login > entry (more details in the attachment). I take it the certificate hasn't expired? The primary version of OpenConnect isn't on github, btw. ?I'm not sure which one you're looking at, but it shouldn't make much difference; this hasn't changed for a while. One possibility is that you aren't sending the full trust chain for the certificate. Given that your client is complaining about an "untrusted" certificate on the server, that looks like you don't have your corporate SSL CA installed correctly. OpenConnect will include all indermediate CAs in its request on the wire, if it can find them.... but in your case it won't. Sometimes, the server admins forget to install the intermediate CAs. And sometimes, ancient OpenSSL bugs mean that the ASA attempts to use the *wrong* intermediate CA.? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4938 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20171201/4213a427/attachment.bin>
