Certificate auth issue in 0.2.2

Karl weeker at outlook.com
Tue Dec 10 14:50:43 EST 2013


Hi, Nikos, after add Digital Signature, Key Encipherment, Data
Encipherment, Certificate Sign, TLS Web Client Authentication to the
user cert, it looks *better*, I sent the logs if you have interesting
to look.

ocserv[20805]: [vpn.server.com]:49540 accepted connection
ocserv[20805]: [vpn.server.com]:49540 error verifying client
certificate: No certificate was found.
ocserv[20799]: sec-mod received request from pid 20805 and uid 65534
ocserv[20805]: [vpn.server.com]:49540 TLS handshake completed
ocserv[20805]: [vpn.server.com]:49540 no certificate provided for authentication
ocserv[20798]: [vpn.server.com]:49540 command socket closed
ocserv[20806]: [vpn.server.com]:49541 accepted connection
ocserv[20806]: [vpn.server.com]:49541 sending resumption request (fetch)
ocserv[20806]: [vpn.server.com]:49541 error verifying client
certificate: No certificate was found.
ocserv[20806]: [vpn.server.com]:49541 TLS handshake completed
ocserv[20806]: [vpn.server.com]:49541 no certificate provided for authentication
ocserv[20798]: [vpn.server.com]:49541 command socket closed
ocserv[20807]: [vpn.server.com]:49542 accepted connection
ocserv[20807]: [vpn.server.com]:49542 error verifying client
certificate: No certificate was found.
ocserv[20799]: sec-mod received request from pid 20807 and uid 65534
ocserv[20807]: [vpn.server.com]:49542 TLS handshake completed
ocserv[20798]: [vpn.server.com]:49542 command socket closed



On Tue, Dec 10, 2013 at 3:48 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Mon, Dec 9, 2013 at 11:04 PM, Karl <weeker at outlook.com> wrote:
>> That works great on Android now. Thanks, Nikos.
>>
>> On iOS client, it still fails at infinite username prompt, log:
>>
>> ocserv[14809]: [MYIP]:61337 accepted connection
>> ocserv[14809]: GnuTLS error (at worker-vpn.c:571): The TLS connection
>> was non-properly terminated.
>> ocserv[14807]: [MYIP]:61337 command socket closed
>>
>> tls-debug log: http://pastebin.com/9SAjZJ79
>> iOS client complains : No valid certificates available for
>> authentication. Which Cisco doc said: "The secure gateway did not
>> accept any of the certificates AnyConnect provided. No more
>> certificates remain."
>
> Well, I cannot tell much from the log as I don't know to which gnutls
> version it corresponds to. However what I see there is the client
> receiving the certificate request and (possibly) bailing out. That
> could mean that the client didn't like the CA certificate that was
> sent be the server (possibly it didn't correspond to its client
> certificate?). Is there debugging output available on the ios client?
>
> regards,
> Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Logs2013-12-11iPhone03_42_59.zip
Type: application/zip
Size: 4522 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131211/2e0aa5b9/attachment.zip>


More information about the openconnect-devel mailing list