Hi, I specified the parameter in ./configure : /u/s/openconnect-7.08 ??? grep RSA config.h ? #define DEFAULT_PRIO "NORMAL:-SIGN-RSA-SHA512:-SIGN-RSA-SHA384" It now chooses SIGN-RSA-256 as signing algorith but still fails to connect : ASSERT: extensions.c[_gnutls_get_extension]:65 HSK[0x55eb8c945d30]: verify handshake data: using RSA-SHA256 ASSERT: buffers.c[get_last_packet]:1159 READ: Got 5 bytes from 0x5 READ: read 5 bytes from 0x5 RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[0x55eb8c945d30]: SSL 3.3 Handshake packet received. Epoch 0, length: 1015 REC[0x55eb8c945d30]: Expected Packet Handshake(22) REC[0x55eb8c945d30]: Received Packet Handshake(22) with length: 1015 READ: Got 1015 bytes from 0x5 READ: read 1015 bytes from 0x5 RB: Have 5 bytes into buffer. Adding 1015 bytes. RB: Requested 1020 bytes REC[0x55eb8c945d30]: Decrypted Packet[3] Handshake(22) with length: 1015 BUF[REC]: Inserted 1015 bytes of Data(22) HSK[0x55eb8c945d30]: CERTIFICATE REQUEST (13) was received. Length 1007[1011], frag offset 0, frag length: 1007, sequence: 0 EXT[0x55eb8c945d30]: rcvd signature algo (6.1) RSA-SHA512 EXT[0x55eb8c945d30]: rcvd signature algo (6.2) DSA-SHA512 EXT[0x55eb8c945d30]: rcvd signature algo (6.3) ECDSA-SHA512 EXT[0x55eb8c945d30]: rcvd signature algo (5.1) RSA-SHA384 EXT[0x55eb8c945d30]: rcvd signature algo (5.2) DSA-SHA384 EXT[0x55eb8c945d30]: rcvd signature algo (5.3) ECDSA-SHA384 EXT[0x55eb8c945d30]: rcvd signature algo (4.1) RSA-SHA256 EXT[0x55eb8c945d30]: rcvd signature algo (4.2) DSA-SHA256 EXT[0x55eb8c945d30]: rcvd signature algo (4.3) ECDSA-SHA256 EXT[0x55eb8c945d30]: rcvd signature algo (2.1) RSA-SHA1 EXT[0x55eb8c945d30]: rcvd signature algo (2.2) DSA-SHA1 EXT[0x55eb8c945d30]: rcvd signature algo (2.3) ECDSA-SHA1 ASSERT: buffers.c[get_last_packet]:1159 HSK[0x55eb8c945d30]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397 HSK[0x55eb8c945d30]: CERTIFICATE was queued [1757 bytes] HWRITE: enqueued [CERTIFICATE] 1757. Total 1757 bytes. HSK[0x55eb8c945d30]: CLIENT KEY EXCHANGE was queued [262 bytes] HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2019 bytes. sign handshake cert vrfy: picked RSA-SHA512 with SHA512 ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:352 ASSERT: privkey.c[gnutls_privkey_sign_hash]:1175 ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580 ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477 ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369 ASSERT: handshake.c[handshake_client]:2926 SSL connection failure: PKCS #11 erreur. REC[0x55eb8c945d30]: Start of epoch cleanup REC[0x55eb8c945d30]: End of epoch cleanup REC[0x55eb8c945d30]: Epoch #0 freed REC[0x55eb8c945d30]: Epoch #1 freed Failed to open HTTPS connection to vpn.etat.lu Failed to obtain WebVPN cookie It seems to use RSA-256 : HSK[0x55eb8c945d30]: verify handshake data: using RSA-SHA256 But afterwards, I still have sign handshake cert vrfy: picked RSA- SHA512 with SHA512 Is taht normal? Best regards. Noel Le vendredi 22 septembre 2017 ? 16:03 +0200, Nikos Mavrogiannopoulos a ?crit : > On Fri, Sep 22, 2017 at 4:01 PM, Noel Dieschburg <noel at cblue.be> > wrote: > > Hi David, > > > > First thank you for your quick answer ;) > > > > Do you know if there is a way to do such things (disable RSA-512 > > signin > > algo) without rcompiling the gnu-tls library? I found nothing for > > the > > moement. > > I believe you have to recompile openconnect and set to configure: > --with-default-gnutls-priority="NORMAL:-SIGN-RSA-SHA512" > > (I'd also remove RSA-SHA384 to try with the more common SHA256) > --with-default-gnutls-priority="NORMAL:-SIGN-RSA-SHA512:-SIGN-RSA- > SHA384" > > > regards, > Nikos
