Openconnect supporting SafeNet eToken 5300

Dimitri Papadopoulos dimitri.papadopoulos at cea.fr
Thu Jun 23 10:06:05 PDT 2022


Hi Pavel,

How did you try to build OpenConnect 9.01? These instructions should 
work on any Linux distribution:
	[download source code, unpack in a folder, enter that folder]
	./configure
	make
provided these requirements are met:
	https://www.infradead.org/openconnect/building.html

The error message you show us might be caused by a previous error that 
we do not see. A full build log would help (add it to issue 
https://gitlab.com/openconnect/openconnect/-/issues/242). Also which 
Linux distribution are you building on?

Dimitri

Le 23/06/2022 à 15:27, Pavel Gavronsky a écrit :
> Hi Dmitri,
> 
> Thank you for the reply.
> 
> I tried to install the latest openconnect version, however when "make" the build the following error appeared:
> 
> make[1]: *** No rule to make target '../libopenconnect.la', needed by 'serverhash'.  Stop.
> make[1]: Leaving directory '/tmp/openconnect-9.01/tests'
> make: *** [Makefile:1749: check-recursive] Error 1
> 
> 
> I will try to install other releases  which are newer than I have currently.
> 
> Regards,
> Pavel
> 
> From: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>
> Sent: Tuesday, June 21, 2022 6:41 PM
> To: Pavel Gavronsky <kamm555 at hotmail.com>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
> Subject: Re: Openconnect supporting SafeNet eToken 5300
>   
> Hi,
> 
> Is this issue identical to that one filed a year ago?
> 
>          https://gitlab.com/openconnect/openconnect/-/issues/242
> 
> Have you tried a newer version of OpenConnect as suggested in this issue?
> 
> Best Regards,
> Dimitri
> 
> Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :
>> Hello,
>>
>> I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
>> When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".
>>
>> $ uname -a
>> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
>>
>> Debugging info (GNUTLS_DEBUG_LEVEL=9):
>>
>> /usr/sbin/openconnect -V
>> OpenConnect version v8.10-2+b1
>> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
>> Supported protocols: anyconnect (default), nc, gp, pulse
>>
>> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
>> gnutls[2]: Enabled GnuTLS 3.7.1 logging...
>> gnutls[2]: getrandom random generator was detected
>> gnutls[2]: Intel SSSE3 was detected
>> gnutls[2]: Intel AES accelerator was detected
>> gnutls[2]: Intel GCM accelerator was detected
>> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
>> Attempting to connect to server x.x.x.x:443
>> Connected to x.x.x.x:443
>> Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
>> gnutls[2]: Initializing all PKCS #11 modules
>> gnutls[2]: p11: Initializing module: p11-kit-trust
>> gnutls[2]: p11: Initializing module: opensc
>> gnutls[2]: p11: Initializing module: opensc-pkcs11
>> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> PIN required for xxx
>> Enter PIN:
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
>> Loading certificate failed. Aborting.
>> Failed to obtain WebVPN cookie
>>
>>
>>
>>
>> pkcs11-tool --module /usr/lib/libeToken.so  --list-token-slots
>> Available slots:
>> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
>>      token label        : xxxx
>>      token manufacturer : Gemalto
>>      token model        : ID Prime MD
>>      token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>>      hardware version   : 0.0
>>      firmware version   : 0.0
>>      serial num         : xxxx39
>>      pin min/max        : 4/16
>> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
>>      token label        : GSTEST01
>>      token manufacturer : SafeNet, Inc.
>>      token model        : eToken
>>      token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>>      hardware version   : 0.0
>>      firmware version   : 0.0
>>      serial num         : xx
>>      pin min/max        : 8/20
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 0
>> Using slot with ID 0x0
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>>      seems to be OK
>> Digests:
>>      all 4 digest functions seem to work
>>      SHA-1: OK
>> Signatures (currently only for RSA)
>>      testing key 0 ()
>>      ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>> Aborting.
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 1
>> Using slot with ID 0x1
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>>      seems to be OK
>> Digests:
>>      all 4 digest functions seem to work
>>      SHA-1: OK
>> Signatures (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>      ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>>      testing signature mechanisms:
>>        RSA-PKCS: OK
>>        SHA256-RSA-PKCS: OK
>> Verify (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>        RSA-PKCS: OK
>> Decryption (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>        RSA-PKCS: OK
>>        RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
>> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
>> OK
>> 1 errors
>>
>>
>> Any ideas?
>>
>> Thank you in advance,
>> Pavel
>> _______________________________________________
>> openconnect-devel mailing list
>> openconnect-devel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/openconnect-devel



More information about the openconnect-devel mailing list