Connection Failure

Gareth Williams gareth at garethwilliams.me.uk
Sat Jul 26 13:54:58 PDT 2014 

Hi,

I'm trying to connect to a OpenConnect server running on CentOS 7 on a 
remote Digital Ocean VM (this is set up purely for 
experimenting/learning purposes).  For the sake of simplicity, I've 
disabled SELinux and the firewall on the VM.

I'm using Fedora 20 as the client and attempting to set up a connection 
using Network Manager.

I'm using a self-signed CA from which I've generated the server 
certificate and key and the client certificate and key.  This was all 
done on openssl as opposed the gnutls in the example on your website - I 
hope that doesn't make a difference.

Unfortunately, I'm getting the message below when I run the server in a 
terminal with debugging enabled.

Does it mean anything to anyone?  The lines that concern me are the ones 
about obtaining the username.

The subject of the client certificate is:-

subject= /C=GB/ST=West Yorkshire/L=Otley/O=Gareth 
Williams/OU=OpenConnectClient/CN=gareth/emailAddress=gareth at xxxxxxxxxxxxxx.me.uk

which I extracted using openssl x509 -in <cert> -noout -subject

The CN is 'gareth' and that's a user on the VM.  I'm not 100% certain I 
understand what that should be as I'm not logging in with a 
username/password.


ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Host: 
xxxxxxxxxxxxxx.me.uk [0/1333]
ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: User-Agent: OpenConnect 
VPN Agent (NetworkManager) v6.00
ocserv[5011]: worker: xx.xxx.65.223:51482 User-agent: 'OpenConnect VPN 
Agent (NetworkManager) v6.00'
ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Accept: */*
ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: Accept-Encoding: identity
ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP: X-Transcend-Version: 1
ocserv[5011]: worker: xx.xxx.65.223:51482 HTTP GET /
ocserv[5011]: TLS[<2>]: ASSERT: dn.c:239
ocserv[5011]: worker: xx.xxx.65.223:51482 worker-auth.c:397: cannot 
obtain user from certificate DN: The given memory buffer is too short to 
hold parameters.
ocserv[5011]: worker: xx.xxx.65.223:51482 worker-auth.c:765: cannot get 
username ((null)) from certificate
ocserv[5011]: worker: xx.xxx.65.223:51482 cannot obtain certificate 
information
ocserv[5011]: TLS[<2>]: ASSERT: gnutls_buffers.c:613
ocserv[5011]: TLS[<4>]: REC: Sending Alert[1|0] - Close notify
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Preparing Packet Alert(21) with 
length: 2 and target length: 2
ocserv[5011]: TLS[<9>]: ENC[0x1b02db0]: cipher: AES-128-CBC, MAC: SHA1, 
Epoch: 1
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Sent Packet[2] Alert(21) in 
epoch 1 and length: 37
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Start of epoch cleanup
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: End of epoch cleanup
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Epoch #1 freed
ocserv[5008]: main: xx.xxx.65.223:51482 main-misc.c:414: command socket 
closed
ocserv[5008]: main: xx.xxx.65.223:51482 removing client '' with id '5011'


Can anyone give me some guidance as to where I've gone wrong?

Thanks in advance,

Gareth

More information about the openconnect-devel mailing list