Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file

Noel Dieschburg noel at
Fri Sep 22 07:44:29 PDT 2017


I specified the parameter in ./configure : 

/u/s/openconnect-7.08 ❯❯❯ grep RSA
config.h                                                           ⏎

It now chooses SIGN-RSA-256 as signing algorith but still fails to
connect : 

ASSERT: extensions.c[_gnutls_get_extension]:65
HSK[0x55eb8c945d30]: verify handshake data: using RSA-SHA256
ASSERT: buffers.c[get_last_packet]:1159
READ: Got 5 bytes from 0x5
READ: read 5 bytes from 0x5
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x55eb8c945d30]: SSL 3.3 Handshake packet received. Epoch 0,
length: 1015
REC[0x55eb8c945d30]: Expected Packet Handshake(22)
REC[0x55eb8c945d30]: Received Packet Handshake(22) with length: 1015
READ: Got 1015 bytes from 0x5
READ: read 1015 bytes from 0x5
RB: Have 5 bytes into buffer. Adding 1015 bytes.
RB: Requested 1020 bytes
REC[0x55eb8c945d30]: Decrypted Packet[3] Handshake(22) with length:
BUF[REC]: Inserted 1015 bytes of Data(22)
HSK[0x55eb8c945d30]: CERTIFICATE REQUEST (13) was received. Length
1007[1011], frag offset 0, frag length: 1007, sequence: 0
EXT[0x55eb8c945d30]: rcvd signature algo (6.1) RSA-SHA512
EXT[0x55eb8c945d30]: rcvd signature algo (6.2) DSA-SHA512
EXT[0x55eb8c945d30]: rcvd signature algo (6.3) ECDSA-SHA512
EXT[0x55eb8c945d30]: rcvd signature algo (5.1) RSA-SHA384
EXT[0x55eb8c945d30]: rcvd signature algo (5.2) DSA-SHA384
EXT[0x55eb8c945d30]: rcvd signature algo (5.3) ECDSA-SHA384
EXT[0x55eb8c945d30]: rcvd signature algo (4.1) RSA-SHA256
EXT[0x55eb8c945d30]: rcvd signature algo (4.2) DSA-SHA256
EXT[0x55eb8c945d30]: rcvd signature algo (4.3) ECDSA-SHA256
EXT[0x55eb8c945d30]: rcvd signature algo (2.1) RSA-SHA1
EXT[0x55eb8c945d30]: rcvd signature algo (2.2) DSA-SHA1
EXT[0x55eb8c945d30]: rcvd signature algo (2.3) ECDSA-SHA1
ASSERT: buffers.c[get_last_packet]:1159
HSK[0x55eb8c945d30]: SERVER HELLO DONE (14) was received. Length 0[0],
frag offset 0, frag length: 1, sequence: 0
ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397
HSK[0x55eb8c945d30]: CERTIFICATE was queued [1757 bytes]
HWRITE: enqueued [CERTIFICATE] 1757. Total 1757 bytes.
HSK[0x55eb8c945d30]: CLIENT KEY EXCHANGE was queued [262 bytes]
HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2019 bytes.
sign handshake cert vrfy: picked RSA-SHA512 with SHA512
ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:352
ASSERT: privkey.c[gnutls_privkey_sign_hash]:1175
ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580
ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477
ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369
ASSERT: handshake.c[handshake_client]:2926
SSL connection failure: PKCS #11 erreur.
REC[0x55eb8c945d30]: Start of epoch cleanup
REC[0x55eb8c945d30]: End of epoch cleanup
REC[0x55eb8c945d30]: Epoch #0 freed
REC[0x55eb8c945d30]: Epoch #1 freed
Failed to open HTTPS connection to
Failed to obtain WebVPN cookie

It seems to use RSA-256 : HSK[0x55eb8c945d30]: verify handshake data:
using RSA-SHA256

But afterwards, I still have  sign handshake cert vrfy: picked RSA-
SHA512 with SHA512

Is taht normal? 

Best regards. 


Le vendredi 22 septembre 2017 à 16:03 +0200, Nikos Mavrogiannopoulos a
écrit :
> On Fri, Sep 22, 2017 at 4:01 PM, Noel Dieschburg <noel at>
> wrote:
> > Hi David,
> > 
> > First thank you for your quick answer ;)
> > 
> > Do you know if there is a way to do such things (disable RSA-512
> > signin
> > algo) without rcompiling the gnu-tls library? I found nothing for
> > the
> > moement.
> I believe you have to recompile openconnect and set to configure:
> --with-default-gnutls-priority="NORMAL:-SIGN-RSA-SHA512"
> (I'd also remove RSA-SHA384 to try with the more common SHA256)
> --with-default-gnutls-priority="NORMAL:-SIGN-RSA-SHA512:-SIGN-RSA-
> SHA384"
> regards,
> Nikos

More information about the openconnect-devel mailing list