Certificate auth issue in 0.2.2

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Dec 8 13:01:24 EST 2013

On Sun, 2013-12-08 at 23:35 +0800, Karl wrote:
> certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem
> Chain verification output: Verified. The certificate is trusted.
> I found it quite different between iOS and Android AnyConnect client,
> both failed to connect, but Android looks go further, iOS always
> prompts username, Android will prompt password after input username.
> Android client's log: http://pastebin.com/VxubQJQv

That client would only work with the ocserv version in the repository.

> iOS client's log: http://pastebin.com/XNYK6iRk

Here I see the following on the client's connection:
> ocserv[13876]: TLS[<4>]: REC[0x87d11c0]: Alert[2|46] - Unknown
certificate - was received

Meaning that the client alerted that it doesn't like (trust) the server
certificate. Could that be the issue?

> ocserv[13879]: TLS[<2>]: ASSERT: cert.c:1094
> ocserv[13879]: [MYIP]:55974 error verifying client certificate

The client sent no certificate for some reason. That most likely would
be (a) because of the reason above, or (b) because the ca-cert set
doesn't match the client's issuer CA.

I'd suggest to use the version in git as well, and try capturing the
traffic with wireshark and send it to me (also the client's
certificate). With that I could rule out case b.


More information about the openconnect-devel mailing list