Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file
David Raison
david at tentwentyfour.lu
Tue Sep 19 00:48:55 PDT 2017
David,
Sorry for the long long silence. I haven't actually needed this to work
in the past few months, but now I do, so this means renewed interest.
On 28/04/17 12:32, David Raison wrote:
>
>> It's possible that something in the exchange over the network is
>> causing us to trigger a latent bug... hard to say before we see more
>> debugging info really.
>>
>> We should also try with pkcs11-spy.
I ran the openconnect command with pcsc-spy, gnutls-debug set to 99 and
OPENSC_DEBUG to 9, which produced quite a lot of output that I don't
want to paste here, especially since I don't know if they contain any
sensitive information, such as e.g. the pin… OK, yes they do. So what's
the recommended way to share this info?
The last few lines around the PKCS#11 error:
> ASSERT: buffers.c[get_last_packet]:1159
> HSK[0x55d2194215c0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
> ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397
> HSK[0x55d2194215c0]: CERTIFICATE was queued [1743 bytes]
> HWRITE: enqueued [CERTIFICATE] 1743. Total 1743 bytes.
> HSK[0x55d2194215c0]: CLIENT KEY EXCHANGE was queued [262 bytes]
> HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2005 bytes.
> sign handshake cert vrfy: picked RSA-SHA512 with SHA512
> ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:299
> ASSERT: privkey.c[gnutls_privkey_sign_hash]:1166
> ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580
> ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477
> ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369
> ASSERT: handshake.c[handshake_client]:2923
> SSL connection failure: PKCS #11 error.
> REC[0x55d2194215c0]: Start of epoch cleanup
> REC[0x55d2194215c0]: End of epoch cleanup
> REC[0x55d2194215c0]: Epoch #0 freed
> REC[0x55d2194215c0]: Epoch #1 freed
> Failed to open HTTPS connection…
From that I still don't see the source of the error though.
I'm not sure I've actually been able to get pkcs11-spy output. It's not
really clear to me how to do this and setting the env vars alone (as
described on the opensc wiki, does not output anything for me).
Regards,
David
--
TenTwentyFour S.à r.l.
W: www.tentwentyfour.lu
T: +352 20 211 1024
F: +352 20 211 1023
3 Avenue du Blues
L-4368 Belvaux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170919/253f93f6/attachment.sig>
More information about the openconnect-devel
mailing list