openconnect with Belgian EID

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Sat Nov 9 17:10:31 EST 2013

On Thu, Nov 7, 2013 at 5:08 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at> wrote:
>> If either of them are responsible for signing your personal cert, then
>> OpenConnect will include them in its SSL negotiation, and that can often
>> 'help' the server to realise that it actually *does* trust the cert in
>> question.
>> If that's the issue, then perhaps OpenConnect needs to be taught to go
>> looking for these 'supporting' certs in the PKCS#11 store, as well as
>> the --cafile. But then again, perhaps GnuTLS ought to do that for
>> itself.
>> Nikos?
> Indeed, that's a nice feature and not too difficult to be implemented
> as PKCS #11 allows searching stored certificates using a DN. It is on
> my todo-list for quite some time but never found the time for that.
> Patches are (of course) more than welcome!

Ok, it seems I've managed to implement it. If you're using
gnutls_certificate_set_x509_key_file() then the full chain will be
loaded when using the version at the git repository (or 3.2.7 when
that is released).


More information about the openconnect-devel mailing list