David, Sorry for the long long silence. I haven't actually needed this to work in the past few months, but now I do, so this means renewed interest. On 28/04/17 12:32, David Raison wrote: > >> It's possible that something in the exchange over the network is >> causing us to trigger a latent bug... hard to say before we see more >> debugging info really. >> >> We should also try with pkcs11-spy. I ran the openconnect command with pcsc-spy, gnutls-debug set to 99 and OPENSC_DEBUG to 9, which produced quite a lot of output that I don't want to paste here, especially since I don't know if they contain any sensitive information, such as e.g. the pin? OK, yes they do. So what's the recommended way to share this info? The last few lines around the PKCS#11 error: > ASSERT: buffers.c[get_last_packet]:1159 > HSK[0x55d2194215c0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 > ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397 > HSK[0x55d2194215c0]: CERTIFICATE was queued [1743 bytes] > HWRITE: enqueued [CERTIFICATE] 1743. Total 1743 bytes. > HSK[0x55d2194215c0]: CLIENT KEY EXCHANGE was queued [262 bytes] > HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2005 bytes. > sign handshake cert vrfy: picked RSA-SHA512 with SHA512 > ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:299 > ASSERT: privkey.c[gnutls_privkey_sign_hash]:1166 > ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580 > ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477 > ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369 > ASSERT: handshake.c[handshake_client]:2923 > SSL connection failure: PKCS #11 error. > REC[0x55d2194215c0]: Start of epoch cleanup > REC[0x55d2194215c0]: End of epoch cleanup > REC[0x55d2194215c0]: Epoch #0 freed > REC[0x55d2194215c0]: Epoch #1 freed > Failed to open HTTPS connection?
