On Sun, 2020-04-05 at 22:13 +0200, Kai G wrote: > I'm trying to connect to a Cisco ASA VPN using credentials on a > smartcard. > > My setup is Ubuntu 18.04 with OpenConnect 7.08. > > There are a bunch of certs on the card but think I positively > identified the right one with the help of the anyconnect xml file and > p11tool. > > I can connect from Anyconnect on Windows 10 just fine using the same > card but when trying from another PC with linux and openconnect I get > a Certificate Validation Failure message from the server. > > Is there anything else I can do to debug this? My first guess is that your certificate is issued by an intermediate CA that isn't known to the server, and thus we need to provide it on the wire. And that you don't have your corporate CAs installed correctly on your system, otherwise you wouldn't need to give the --servercert argument. Amusingly, the certificate identity is sent in cleartext by Cisco's protocol, unlike some other VPNs. So if you do a packet capture (on the physical network) of the AnyConnect client connecting, and compare with the OpenConnect connection, you should be able to see that OpenConnect sends only one certificate while AnyConnect managed to find the issuer in the Windows certificate store and sends that too.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
