openconnect with Belgian EID

Christof Haerens christof at haerens.be
Tue Nov 5 10:26:36 EST 2013 

Hi,

Exported certs with id 3, 4 and 6 to myca.crt, but no luck:

% openconnect -v --cafile ./myca.crt --no-cert-check -c 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02' https://vpn1
Attempting to connect to server x.x.x.x:443
Using PKCS#11 certificate pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=cert;pin-source=openconnect%3a0x1647930
PIN required for BELPIC (Basic PIN)
Enter PIN:
Using PKCS#11 key pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=private;pin-source=openconnect%3a0x1647930
Using client certificate 'Christof Haerens (Authentication)'
SSL negotiation with vpn1
Connected to HTTPS on vpn1
GET https://vpn1/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 05 Nov 2013 15:21:13 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with vpn1
Connected to HTTPS on vpn1
GET https://vpn1/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
Set-Cookie: ClientCertAuthFailed=1; path=/; secure
SSL certificate authentication failed
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Certificate Validation Failure
Failed to obtain WebVPN cookie




On 11/05/2013 04:14 PM, David Woodhouse wrote:
> On Tue, 2013-11-05 at 15:56 +0100, Christof Haerens wrote:
>> So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11:
>> The ID 04(label CA) I should export and then pass to openconnect with the --cafile option?
> That or the 'Root' one. I'd export them *both* and put them in a single
> file and use that with the --cafile option.
>
> If either of them are responsible for signing your personal cert, then
> OpenConnect will include them in its SSL negotiation, and that can often
> 'help' the server to realise that it actually *does* trust the cert in
> question.
>
> If that's the issue, then perhaps OpenConnect needs to be taught to go
> looking for these 'supporting' certs in the PKCS#11 store, as well as
> the --cafile. But then again, perhaps GnuTLS ought to do that for
> itself.
>
> Nikos?
>

More information about the openconnect-devel mailing list