Certificate auth issue in 0.2.2
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Dec 8 13:01:24 EST 2013
On Sun, 2013-12-08 at 23:35 +0800, Karl wrote:
> certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem
> Chain verification output: Verified. The certificate is trusted.
>
> I found it quite different between iOS and Android AnyConnect client,
> both failed to connect, but Android looks go further, iOS always
> prompts username, Android will prompt password after input username.
> Android client's log: http://pastebin.com/VxubQJQv
That client would only work with the ocserv version in the repository.
> iOS client's log: http://pastebin.com/XNYK6iRk
Here I see the following on the client's connection:
> ocserv[13876]: TLS[<4>]: REC[0x87d11c0]: Alert[2|46] - Unknown
certificate - was received
Meaning that the client alerted that it doesn't like (trust) the server
certificate. Could that be the issue?
> ocserv[13879]: TLS[<2>]: ASSERT: cert.c:1094
> ocserv[13879]: [MYIP]:55974 error verifying client certificate
The client sent no certificate for some reason. That most likely would
be (a) because of the reason above, or (b) because the ca-cert set
doesn't match the client's issuer CA.
I'd suggest to use the version in git as well, and try capturing the
traffic with wireshark and send it to me (also the client's
certificate). With that I could rule out case b.
regards,
Nikos
More information about the openconnect-devel
mailing list