Certificate auth issue in 0.2.2
Karl
weeker at outlook.com
Sun Dec 8 14:23:15 EST 2013
Tried to check all the possibilities, with no luck. You mean capturing
the traffic with wireshark on server side? Is there any simple
instruction to do capture work? Thanks.
On Mon, Dec 9, 2013 at 2:01 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Sun, 2013-12-08 at 23:35 +0800, Karl wrote:
>> certtool --verify --load-ca-certificate ca-cert.pem --infile user-cert.pem
>> Chain verification output: Verified. The certificate is trusted.
>>
>> I found it quite different between iOS and Android AnyConnect client,
>> both failed to connect, but Android looks go further, iOS always
>> prompts username, Android will prompt password after input username.
>> Android client's log: http://pastebin.com/VxubQJQv
>
> That client would only work with the ocserv version in the repository.
>
>> iOS client's log: http://pastebin.com/XNYK6iRk
>
> Here I see the following on the client's connection:
>> ocserv[13876]: TLS[<4>]: REC[0x87d11c0]: Alert[2|46] - Unknown
> certificate - was received
>
> Meaning that the client alerted that it doesn't like (trust) the server
> certificate. Could that be the issue?
>
>> ocserv[13879]: TLS[<2>]: ASSERT: cert.c:1094
>> ocserv[13879]: [MYIP]:55974 error verifying client certificate
>
> The client sent no certificate for some reason. That most likely would
> be (a) because of the reason above, or (b) because the ca-cert set
> doesn't match the client's issuer CA.
>
> I'd suggest to use the version in git as well, and try capturing the
> traffic with wireshark and send it to me (also the client's
> certificate). With that I could rule out case b.
>
> regards,
> Nikos
>
>
More information about the openconnect-devel
mailing list