openconnect command line can establish Pulse sessions but NetworkManager-openconnect cannot?

[James Ralston]

On Fedora, has anyone been able to get NetworkManager-openconnect to
actually establish Pulse sessions?

When using the command line as root, it works perfectly:

    $ openconnect --protocol=pulse https://vpn.example.org/it-esp
    Connected to 1.2.3.4:443
    SSL negotiation with vpn.example.org
    Connected to HTTPS on vpn.example.org with ciphersuite
(TLS1.2)-(ECDHE-SECP384R1)-(ECDSA-SHA512)-(AES-256-GCM)
    Got HTTP response: HTTP/1.1 101 Switching Protocols
    Enter user credentials:
    Username:myusername
    Password:xxxxxxxxxxxxxxxxxxx
    Enter secondary credentials:
    Secondary password:push

    [confirm Duo Secure prompt]

    Connected as 10.64.207.167, using SSL, with ESP in progress
    ESP session established with server

But when using NetworkManager-openconnect, after I bring the VPN
connection up, it hangs for about 20 seconds, and then the following
errors are logged:

    openconnect[239536]: Connected to 1.2.3.4:443
    openconnect[239536]: SSL negotiation with 1.2.3.4
    openconnect[239536]: Server certificate verify failed: signer not found
    openconnect[239536]: Connected to HTTPS on 1.2.3.4 with
ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(ECDSA-SHA512)-(AES-256-GCM)
    openconnect[239536]: Got HTTP response: HTTP/1.1 101 Switching Protocols
    openconnect[239536]: Pulse authentication cookie not accepted
    NetworkManager[239536]: Creating SSL connection failed

This smells like a configuration issue or error, but if I've
overlooked some setting in the NetworkManager configuration for the
VPN interface, I don't know what it is.

More detail (including full system logs and the exactly VPN interface
settings) are available in the upstream bug I filed:

https://bugzilla.redhat.com/show_bug.cgi?id=2038446

Thanks in advance for any pointers or tips…