doesnt connect with certificate

Union union.kjesi at gmail.com
Fri Dec 1 03:58:32 PST 2017 

Hello

In the past I could successfully connect with the pfx certificate to
the ASA server with openconnect.

But last couple of weeks this doesn't work anymore. It seems
connection is established, but at the end, it just throw out the login
entry (more details in the attachment).
I'm using the latest github version of openconnect (as from today),
with "openconnect -v -c cert.pfx 1.2.3.4 --os=win -printcookie
--dump-http-traffic", but the same result occurred also with the older
version.

At the same time I can normally connect with Anyconnect client from
windows machine, from where the certificate with it's private key was
exported and used with openconnect.

Is it possible to say what is causing this based on the attached log
or is there some check on the ASA side (to which of course I don't
have access to) ?

Thank you
-------------- next part --------------
openconnect -v -c cert.pfx 1.2.3.4 --os=win -printcookie --dump-http-traffic

POST https://1.2.3.4/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
Using certificate file cert.pfx
Failed to decrypt PKCS#12 certificate file
Enter PKCS#12 pass phrase:
Using client certificate '/DC=com/DC=XXXg/DC=corp/DC=XXX/OU=Corporate Workplaces/OU=Desktops and Notebooks/OU=XX/OU=XXXXXXX'
SSL negotiation with 1.2.3.4
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "1.2.3.4" failed verification.
Reason: unable to get local issuer certificate
To trust this server in future, perhaps add this to your command line:
    --servercert YYY
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 1.2.3.4
> POST / HTTP/1.1
> Host: 1.2.3.4
> User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 213
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v7.08-47-g2d77040</version><device-id>win</device-id><group-access>https://1.2.3.4</group-access></config-auth>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 01 Dec 2017 11:24:40 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://1.2.3.4/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with 1.2.3.4
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on 1.2.3.4
> GET / HTTP/1.1
> Host: 1.2.3.4
> User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> 
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 01 Dec 2017 11:24:40 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://1.2.3.4/+webvpn+/index.html
SSL negotiation with 1.2.3.4
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on 1.2.3.4
> GET /+webvpn+/index.html HTTP/1.1
> Host: 1.2.3.4
> User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> 
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
< 
< 
< 
< <banner></banner>
< <message>Please enter your username and password.</message>
< 
< 
< <form method="post" action="/+webvpn+/index.html">
< 
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< 
< 
< <select name="group_list" label="GROUP:">
< <option value="ldzAnyConnect" noaaa="0" auth-type="sdi-via-proxy" override-name="password" override-label="PASSCODE:" >XXX</option><option value="YYY" noaaa="1" >YYY</option></select>
< 
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
< 
< 
< </form>
< </auth>
< 
Please enter your username and password.
GROUP: [XXX|YYY]:

More information about the openconnect-devel mailing list