Hello all, I have a problem using openconnect to connect to a cisco anyconnect vpn with a certificate on a smartcard. Here is my configuration : * Arch Linux * Openconnect : Version v7.08 de OpenConnect Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS * Luxtrust java middleware and gemalto driver for smartcard. It asks me my pin code and almost connect but throws a SSL connection failure: PKCS #11 erreur. openconnect --gnutls-debug=99 -v -c 'pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079 F5C5CD6;token=GemP15- 1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;objec t=User%20Cert%20Auth;type=cert' https://vpn.example.com Attached, you'll find my full log. Does someone have an idea? I don't master openssl enough to debug that. Thank you very much in advance. Best regards. Noel Dieschburg -------------- next part -------------- POST https://vpn.example.com/ Attempting to connect to server XXX.XXX.XX.XX:443 Connected to XXX.XXX.XX.XX:443 Initializing PKCS #11 modules p11: Initializing module: p11-kit-trust p11: Initializing module: beid p11: Initializing module: gnome-keyring p11: Initializing module: libclassicclient ASSERT: pkcs11.c[compat_load]:685 p11: No login requested. p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE p11 attrs: CKA_TRUSTED p11 attrs: CKA_CERTIFICATE_CATEGORY=CA p11: No login requested. p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE p11 attrs: CKA_TRUSTED p11 attrs: CKA_CERTIFICATE_CATEGORY=CA ASSERT: pkcs11.c[find_objs_cb]:2766 ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3087 Using PKCS#11 certificate pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079F5C5CD6;token=GemP15-1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;object=User%20Cert%20Auth;type=cert p11: No login requested. ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 PIN required for GemP15-1 Enter PIN: p11: Login result = ok (0) Using PKCS#11 key pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079F5C5CD6;token=GemP15-1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;object=User%20Cert%20Auth;type=private Using client certificate 'No?l Guy B Dieschburg' ASSERT: common.c[x509_read_value]:698 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3814 ASSERT: verify-high.c[gnutls_x509_trust_list_get_issuer]:969 ASSERT: common.c[x509_read_value]:698 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3814 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110 ASSERT: x509.c[get_alt_name]:1701 ASSERT: str-idna.c[gnutls_idna_map]:297 unable to convert hostname No?l Guy B Dieschburg to IDNA format REC[0x197e720]: Allocating epoch #0 N?gociation SSL avec vpn.example.com ASSERT: constate.c[_gnutls_epoch_get]:600 REC[0x197e720]: Allocating epoch #1 HSK[0x197e720]: Adv. version: 3.3 HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 (CC.A9) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CHACHA20_POLY1305 (CC.A8) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CHACHA20_POLY1305 (CC.AA) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) EXT[0x197e720]: Sending extension OCSP Status Request (5 bytes) HSK[0x197e720]: sent server name: 'vpn.example.com' EXT[0x197e720]: Sending extension Server Name Indication (16 bytes) EXT[0x197e720]: Sending extension Safe Renegotiation (1 bytes) EXT[0x197e720]: Sending extension Session Ticket (0 bytes) EXT[0x197e720]: Sending extension Supported curves (12 bytes) EXT[0x197e720]: Sending extension Supported ECC Point Formats (2 bytes) EXT[0x197e720]: sent signature algo (4.1) RSA-SHA256 EXT[0x197e720]: sent signature algo (4.3) ECDSA-SHA256 EXT[0x197e720]: sent signature algo (5.1) RSA-SHA384 EXT[0x197e720]: sent signature algo (5.3) ECDSA-SHA384 EXT[0x197e720]: sent signature algo (6.1) RSA-SHA512 EXT[0x197e720]: sent signature algo (6.3) ECDSA-SHA512 EXT[0x197e720]: sent signature algo (3.1) RSA-SHA224 EXT[0x197e720]: sent signature algo (3.3) ECDSA-SHA224 EXT[0x197e720]: sent signature algo (2.1) RSA-SHA1 EXT[0x197e720]: sent signature algo (2.3) ECDSA-SHA1 EXT[0x197e720]: Sending extension Signature Algorithms (22 bytes) HSK[0x197e720]: CLIENT HELLO was queued [245 bytes] HWRITE: enqueued [CLIENT HELLO] 245. Total 245 bytes. HWRITE FLUSH: 245 bytes in buffer. REC[0x197e720]: Preparing Packet Handshake(22) with length: 245 and min pad: 0 ENC[0x197e720]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 WRITE: enqueued 250 bytes for 0x5. Total 250 bytes. REC[0x197e720]: Sent Packet[1] Handshake(22) in epoch 0 and length: 250 HWRITE: wrote 1 bytes, 0 bytes left. WRITE FLUSH: 250 bytes in buffer. WRITE: wrote 250 bytes, 0 bytes left. ASSERT: buffers.c[get_last_packet]:1159 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 85 REC[0x197e720]: Expected Packet Handshake(22) REC[0x197e720]: Received Packet Handshake(22) with length: 85 READ: Got 85 bytes from 0x5 READ: read 85 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 85 bytes. RB: Requested 90 bytes REC[0x197e720]: Decrypted Packet[0] Handshake(22) with length: 85 BUF[REC]: Inserted 85 bytes of Data(22) HSK[0x197e720]: SERVER HELLO (2) was received. Length 81[81], frag offset 0, frag length: 81, sequence: 0 HSK[0x197e720]: Server's version: 3.3 HSK[0x197e720]: SessionID length: 32 HSK[0x197e720]: SessionID: bc129069c761404444863136a5488f470a60b9979154cf314eb58f00a8aa6bb1 HSK[0x197e720]: Selected cipher suite: DHE_RSA_AES_256_CBC_SHA1 HSK[0x197e720]: Selected compression method: NULL (0) EXT[0x197e720]: Parsing extension 'Server Name Indication/0' (0 bytes) EXT[0x197e720]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) HSK[0x197e720]: Safe renegotiation succeeded ASSERT: buffers.c[get_last_packet]:1159 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 4491 REC[0x197e720]: Expected Packet Handshake(22) REC[0x197e720]: Received Packet Handshake(22) with length: 4491 READ: Got 1333 bytes from 0x5 READ: Got 1428 bytes from 0x5 READ: Got 1428 bytes from 0x5 READ: Got 302 bytes from 0x5 READ: read 4491 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 4491 bytes. RB: Requested 4496 bytes REC[0x197e720]: Decrypted Packet[1] Handshake(22) with length: 4491 BUF[REC]: Inserted 4491 bytes of Data(22) HSK[0x197e720]: CERTIFICATE (11) was received. Length 4487[4487], frag offset 0, frag length: 4487, sequence: 0 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: common.c[x509_read_value]:698 ASSERT: common.c[x509_read_value]:698 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: common.c[x509_read_value]:698 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: verify.c[verify_crt]:604 GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable ASSERT: verify.c[is_level_acceptable]:429 ASSERT: verify.c[verify_crt]:714 ASSERT: verify.c[verify_crt]:743 ASSERT: verify.c[_gnutls_verify_crt_status]:913 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: verify.c[verify_crt]:604 GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable ASSERT: verify.c[is_level_acceptable]:429 ASSERT: verify.c[verify_crt]:714 ASSERT: verify.c[verify_crt]:743 ASSERT: verify.c[_gnutls_verify_crt_status]:913 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 crt_is_known: did not find cert, using issuer DN + serial, using DN only ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108 crt_is_known: did not find any cert p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 crt_is_known: did not find cert, using issuer DN + serial, using DN only ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108 crt_is_known: did not find any cert p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 crt_is_known: did not find cert, using issuer DN + serial, using DN only ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108 crt_is_known: did not find any cert p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 crt_is_known: did not find cert, using issuer DN + serial, using DN only ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 ASSERT: pkcs11.c[find_cert_cb]:3555 ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108 crt_is_known: did not find any cert ASSERT: common.c[x509_read_value]:698 p11: No login requested. ASSERT: pkcs11.c[find_cert_cb]:3730 p11: No login requested. ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: common.c[x509_read_value]:698 looking for key purpose '1.3.6.1.5.5.7.3.1', but have '1.3.6.1.5.5.7.3.4' ASSERT: common.c[x509_read_value]:698 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003 ASSERT: common.c[x509_read_value]:698 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: mpi.c[_gnutls_x509_read_uint]:246 ASSERT: common.c[x509_read_value]:698 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 ASSERT: extensions.c[_gnutls_get_extension]:65 ASSERT: buffers.c[get_last_packet]:1159 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 1039 REC[0x197e720]: Expected Packet Handshake(22) REC[0x197e720]: Received Packet Handshake(22) with length: 1039 READ: Got 1039 bytes from 0x5 READ: read 1039 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 1039 bytes. RB: Requested 1044 bytes REC[0x197e720]: Decrypted Packet[2] Handshake(22) with length: 1039 BUF[REC]: Inserted 1039 bytes of Data(22) HSK[0x197e720]: SERVER KEY EXCHANGE (12) was received. Length 1035[1035], frag offset 0, frag length: 1035, sequence: 0 ASSERT: extensions.c[_gnutls_get_extension]:65 HSK[0x197e720]: verify handshake data: using RSA-SHA512 ASSERT: buffers.c[get_last_packet]:1159 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 1015 REC[0x197e720]: Expected Packet Handshake(22) REC[0x197e720]: Received Packet Handshake(22) with length: 1015 READ: Got 1015 bytes from 0x5 READ: read 1015 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 1015 bytes. RB: Requested 1020 bytes REC[0x197e720]: Decrypted Packet[3] Handshake(22) with length: 1015 BUF[REC]: Inserted 1015 bytes of Data(22) HSK[0x197e720]: CERTIFICATE REQUEST (13) was received. Length 1007[1011], frag offset 0, frag length: 1007, sequence: 0 EXT[0x197e720]: rcvd signature algo (6.1) RSA-SHA512 EXT[0x197e720]: rcvd signature algo (6.2) DSA-SHA512 EXT[0x197e720]: rcvd signature algo (6.3) ECDSA-SHA512 EXT[0x197e720]: rcvd signature algo (5.1) RSA-SHA384 EXT[0x197e720]: rcvd signature algo (5.2) DSA-SHA384 EXT[0x197e720]: rcvd signature algo (5.3) ECDSA-SHA384 EXT[0x197e720]: rcvd signature algo (4.1) RSA-SHA256 EXT[0x197e720]: rcvd signature algo (4.2) DSA-SHA256 EXT[0x197e720]: rcvd signature algo (4.3) ECDSA-SHA256 EXT[0x197e720]: rcvd signature algo (2.1) RSA-SHA1 EXT[0x197e720]: rcvd signature algo (2.2) DSA-SHA1 EXT[0x197e720]: rcvd signature algo (2.3) ECDSA-SHA1 ASSERT: buffers.c[get_last_packet]:1159 HSK[0x197e720]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397 HSK[0x197e720]: CERTIFICATE was queued [1757 bytes] HWRITE: enqueued [CERTIFICATE] 1757. Total 1757 bytes. HSK[0x197e720]: CLIENT KEY EXCHANGE was queued [262 bytes] HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2019 bytes. sign handshake cert vrfy: picked RSA-SHA512 with SHA512 ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:352 ASSERT: privkey.c[gnutls_privkey_sign_hash]:1175 ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580 ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477 ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369 ASSERT: handshake.c[handshake_client]:2926 SSL connection failure: PKCS #11 erreur. REC[0x197e720]: Start of epoch cleanup REC[0x197e720]: End of epoch cleanup REC[0x197e720]: Epoch #0 freed REC[0x197e720]: Epoch #1 freed Failed to open HTTPS connection to vpn.example.com Failed to obtain WebVPN cookie