I'm trying to figure out why I can easily connect to my openconnect server when using the command line, but cannot connect when using NetworkManager-openconnect. The successful command line is simply: /usr/sbin/openconnect <hostname>:444 --certificate gareth.crt --sslkey gareth.key --cafile cert1.crt and I get: POST https://<hostname>:444/ Attempting to connect to server <IP address>:444 Using client certificate 'gareth' SSL negotiation with <hostname> Connected to HTTPS on <hostname> XML POST enabled SSL negotiation with <hostname> Connected to HTTPS on <hostname> Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 10.1.2.32, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). after which, routes all look good and traceroute shows my traffic going via the remote server. However, if I transpose that to NetworkManager's openconnect GUI and try to connect, it instantly fails. I used the --cafile above for 'CA Certificate', --certificate above for 'User Certificate' and --sslkey for 'Private Key'. running: execsnoop -a16 shows that NetworkManager is running the following when I attempt to connect: /usr/sbin/openconnect --servercert sha1:11e55e29dceaf27a52a039af9844c0b6d2b9abda --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 <IP address>:444 I noticed that there is no mention of certificates in that command. I ran that command manually and I get nothing out other than: Failed to get a WebVPN cookie. I then removed the --syslog and now I get more: POST https://<IP address>:444/ Attempting to connect to server <IP address>:444 SSL negotiation with <IP address> Server certificate verify failed: signer not found SSL connection failure: Error in the pull function. Failed to open HTTPS connection to <IP address> Failed to obtain WebVPN cookie Adding multiple -v options doesn't show any more information. Getting hold of a WebVPN Cookie by adding the --authenticate to the successful manual command line above and passing that using echo to the above simply removes the 'Failed to obtain WebVPN cookie' message. Still no connection. Appending the three X.509 related command line options to the failing NM one, gives me: Attempting to connect to server <IP address>:444 Using client certificate 'gareth' SSL negotiation with <IP address> Server certificate verify failed: certificate does not match hostname Connected to HTTPS on <IP address> Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized Creating SSL connection failed which is better, but not correct. Removing the --cookie-on-stdin finally gets me connected: POST https://<IP address>:444/ Attempting to connect to server <IP address>:444 Using client certificate 'gareth' SSL negotiation with <IP address> Server certificate verify failed: certificate does not match hostname Connected to HTTPS on <IP address> XML POST enabled SSL negotiation with <IP address> Server certificate verify failed: certificate does not match hostname Connected to HTTPS on <IP address> Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 ** (process:23870): WARNING **: Could not send configuration information: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager.openconnect was not provided by any .service files Connected vpn0 as 10.1.2.32, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). Now. I'm certain that I'm not the only person to ever attempt to connect to ocserv using NetworkManager-openconnect and X.509 certificates. That leads me to believe that the software is good and that I'm missing a trick somewhere. I've scratched my head for a day or so trying to figure this out, but I'm stumped by the strange command executed by NetworkManager and am worried that I've gone down a rabbit hole with this. For info, I'm using network-manager-openconnect_1.2.2-1_amd64.deb and openconnect_7.06-2build3_amd64.deb at the client (on Ubuntu 16.10) and on the server, ocserv is 0.11.6 running on CentOS-7 Can someone kindly point me back onto the correct track? Thanks in advance, Gareth -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3849 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170101/ee05b3a1/attachment.p7s>
