openconnect with Belgian EID

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Thu Nov 7 11:08:12 EST 2013

On Tue, Nov 5, 2013 at 4:14 PM, David Woodhouse <dwmw2 at> wrote:

> If either of them are responsible for signing your personal cert, then
> OpenConnect will include them in its SSL negotiation, and that can often
> 'help' the server to realise that it actually *does* trust the cert in
> question.
> If that's the issue, then perhaps OpenConnect needs to be taught to go
> looking for these 'supporting' certs in the PKCS#11 store, as well as
> the --cafile. But then again, perhaps GnuTLS ought to do that for
> itself.
> Nikos?

Indeed, that's a nice feature and not too difficult to be implemented
as PKCS #11 allows searching stored certificates using a DN. It is on
my todo-list for quite some time but never found the time for that.
Patches are (of course) more than welcome!


More information about the openconnect-devel mailing list