Openconnect supporting SafeNet eToken 5300
Pavel Gavronsky
kamm555 at hotmail.com
Tue Jun 28 06:52:53 PDT 2022
Hi Dimitri,
Sorry for the late response, I had no access to my system to try the new installation.
Finally, I have installed 9.00:
openconnect -V
OpenConnect version v9.00
Using OpenSSL 1.1.1n 15 Mar 2022. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, HOTP software token, TOTP software token, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script
Unfortunately, I am not able to connect, the following error appears when I try to use a SmartCard or USB Token:
Failed to enumerate PKCS#11 slots
140593529243456:error:81071054:PKCS#11 module:pkcs11_init_slot:Function not supported:p11_slot.c:428:
Loading certificate failed. Aborting.
Failed to complete authentication
Both SmartCard and USB Token are connected and available:
# pkcs11-tool --module /usr/lib/libeTokenHID.so -L
Available slots:
Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
token label : xxxx
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 09E8xxxxx3E3xxx9
pin min/max : 4/16
Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
token label : xxxxxx
token manufacturer : SafeNet, Inc.
token model : eToken
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 02xxxxeb42
pin min/max : 8/20
Slot 2 (0x2):
(empty)
Slot 3 (0x3):
(empty)
Slot 4 (0x4):
(empty)
Slot 5 (0x5):
(empty)
Slot 6 (0x6):
(empty)
Slot 7 (0x7):
(empty)
I am attaching the ldd output for the reference:
ldd /usr/local/sbin/openconnect
linux-vdso.so.1 (0x00007fffc95db000)
libopenconnect.so.5 => /usr/local/lib/libopenconnect.so.5 (0x00007fdb79531000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fdb79383000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdb791be000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fdb7912b000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fdb78e37000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fdb78e1a000)
libp11.so.3 => /lib/x86_64-linux-gnu/libp11.so.3 (0x00007fdb78e07000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fdb78cc3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdb78cbd000)
libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007fdb78ad4000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fdb78aac000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdb795ca000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fdb78a8a000)
libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007fdb76f6f000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fdb76da2000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fdb76d88000)
Thank you,
Pavel
From: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>
Sent: Thursday, June 23, 2022 7:06 PM
To: Pavel Gavronsky <kamm555 at hotmail.com>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300
Hi Pavel,
How did you try to build OpenConnect 9.01? These instructions should
work on any Linux distribution:
[download source code, unpack in a folder, enter that folder]
./configure
make
provided these requirements are met:
https://www.infradead.org/openconnect/building.html
The error message you show us might be caused by a previous error that
we do not see. A full build log would help (add it to issue
https://gitlab.com/openconnect/openconnect/-/issues/242). Also which
Linux distribution are you building on?
Dimitri
Le 23/06/2022 à 15:27, Pavel Gavronsky a écrit :
> Hi Dmitri,
>
> Thank you for the reply.
>
> I tried to install the latest openconnect version, however when "make" the build the following error appeared:
>
> make[1]: *** No rule to make target '../libopenconnect.la', needed by 'serverhash'. Stop.
> make[1]: Leaving directory '/tmp/openconnect-9.01/tests'
> make: *** [Makefile:1749: check-recursive] Error 1
>
>
> I will try to install other releases which are newer than I have currently.
>
> Regards,
> Pavel
>
> From: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>
> Sent: Tuesday, June 21, 2022 6:41 PM
> To: Pavel Gavronsky <kamm555 at hotmail.com>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
> Subject: Re: Openconnect supporting SafeNet eToken 5300
>
> Hi,
>
> Is this issue identical to that one filed a year ago?
>
> https://gitlab.com/openconnect/openconnect/-/issues/242
>
> Have you tried a newer version of OpenConnect as suggested in this issue?
>
> Best Regards,
> Dimitri
>
> Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :
>> Hello,
>>
>> I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
>> When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".
>>
>> $ uname -a
>> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
>>
>> Debugging info (GNUTLS_DEBUG_LEVEL=9):
>>
>> /usr/sbin/openconnect -V
>> OpenConnect version v8.10-2+b1
>> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
>> Supported protocols: anyconnect (default), nc, gp, pulse
>>
>> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
>> gnutls[2]: Enabled GnuTLS 3.7.1 logging...
>> gnutls[2]: getrandom random generator was detected
>> gnutls[2]: Intel SSSE3 was detected
>> gnutls[2]: Intel AES accelerator was detected
>> gnutls[2]: Intel GCM accelerator was detected
>> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
>> Attempting to connect to server x.x.x.x:443
>> Connected to x.x.x.x:443
>> Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
>> gnutls[2]: Initializing all PKCS #11 modules
>> gnutls[2]: p11: Initializing module: p11-kit-trust
>> gnutls[2]: p11: Initializing module: opensc
>> gnutls[2]: p11: Initializing module: opensc-pkcs11
>> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> PIN required for xxx
>> Enter PIN:
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
>> Loading certificate failed. Aborting.
>> Failed to obtain WebVPN cookie
>>
>>
>>
>>
>> pkcs11-tool --module /usr/lib/libeToken.so --list-token-slots
>> Available slots:
>> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
>> token label : xxxx
>> token manufacturer : Gemalto
>> token model : ID Prime MD
>> token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
>> hardware version : 0.0
>> firmware version : 0.0
>> serial num : xxxx39
>> pin min/max : 4/16
>> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
>> token label : GSTEST01
>> token manufacturer : SafeNet, Inc.
>> token model : eToken
>> token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
>> hardware version : 0.0
>> firmware version : 0.0
>> serial num : xx
>> pin min/max : 8/20
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 0
>> Using slot with ID 0x0
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>> seems to be OK
>> Digests:
>> all 4 digest functions seem to work
>> SHA-1: OK
>> Signatures (currently only for RSA)
>> testing key 0 ()
>> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>> Aborting.
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 1
>> Using slot with ID 0x1
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>> seems to be OK
>> Digests:
>> all 4 digest functions seem to work
>> SHA-1: OK
>> Signatures (currently only for RSA)
>> testing key 0 (No Friendly Name Available)
>> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>> testing signature mechanisms:
>> RSA-PKCS: OK
>> SHA256-RSA-PKCS: OK
>> Verify (currently only for RSA)
>> testing key 0 (No Friendly Name Available)
>> RSA-PKCS: OK
>> Decryption (currently only for RSA)
>> testing key 0 (No Friendly Name Available)
>> -- mechanism can't be used to decrypt, skipping
>> -- mechanism can't be used to decrypt, skipping
>> -- mechanism can't be used to decrypt, skipping
>> -- mechanism can't be used to decrypt, skipping
>> -- mechanism can't be used to decrypt, skipping
>> -- mechanism can't be used to decrypt, skipping
>> RSA-PKCS: OK
>> RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
>> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
>> OK
>> 1 errors
>>
>>
>> Any ideas?
>>
>> Thank you in advance,
>> Pavel
>> _______________________________________________
>> openconnect-devel mailing list
>> openconnect-devel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/openconnect-devel
More information about the openconnect-devel
mailing list