openconnect with Belgian EID

Christof Haerens christof at
Fri Nov 8 07:13:25 EST 2013

Well you helped me getting things to work, so if you need someone to test these things with the Belgian EID, let me know.

On 11/08/2013 12:16 AM, David Woodhouse wrote:
> On Thu, 2013-11-07 at 17:08 +0100, Nikos Mavrogiannopoulos wrote:
>> On Tue, Nov 5, 2013 at 4:14 PM, David Woodhouse <dwmw2 at> wrote:
>>> If either of them are responsible for signing your personal cert, then
>>> OpenConnect will include them in its SSL negotiation, and that can often
>>> 'help' the server to realise that it actually *does* trust the cert in
>>> question.
>>> If that's the issue, then perhaps OpenConnect needs to be taught to go
>>> looking for these 'supporting' certs in the PKCS#11 store, as well as
>>> the --cafile. But then again, perhaps GnuTLS ought to do that for
>>> itself.
>>> Nikos?
>> Indeed, that's a nice feature and not too difficult to be implemented
>> as PKCS #11 allows searching stored certificates using a DN. It is on
>> my todo-list for quite some time but never found the time for that.
>> Patches are (of course) more than welcome!
> Ick, please not by name! It should be done by key ID.
> If we have to do it by DN, is there at least a way to say "that wasn't
> the one I wanted. Please give me the *next* cert with the same name"?
> This code would slot in at about line 1642 of OpenConnect's gnutls.c, if
> gnutls_certificate_get_issuer() fails to find an appropriate issuer in
> the system CA file. (Hey, if we want to make
> gnutls_certificate_get_issuer() just *work* in this situation and find
> it in the PKCS#11 token, that's great too!)
> For the benefit of the peanut gallery and the the archives, this *is*
> the solution to Christof's problem. The supporting CA 'Citizen CA' is
> also present on the token, and the client needs to explicitly include
> that in the SSL negotiations on the wire because the server can't find
> it for itself.
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at

More information about the openconnect-devel mailing list