Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file

Noel Dieschburg noel at
Fri Sep 22 07:01:35 PDT 2017

Hi David, 

First thank you for your quick answer ;)

Do you know if there is a way to do such things (disable RSA-512 signin
algo) without rcompiling the gnu-tls library? I found nothing for the

Best regards. 


Le vendredi 22 septembre 2017 à 14:39 +0200, David Raison a écrit :
> Hi Nikos,
> On 22/09/17 02:38, Nikos Mavrogiannopoulos wrote:
> > Without using debugging tools you most likely never find the
> > culprit. From you previous logs, the client fails at signing with
> > rsa-sha512. A long shot may be that there is a buffer overflow
> > somewhere due to sha512. Have you tried eliminating this signing
> > algorithm from server (or client)?
> Unfortunately I don't control the server (or I wouldn't be using
> AnyConnect :P) but maybe Noël or I can try disabling RSA-SHA512 on
> the
> client side and see if that changes anything.
> Regards,
> David

More information about the openconnect-devel mailing list