openconnect with Belgian EID

Christof Haerens christof at haerens.be
Fri Nov 15 14:08:30 EST 2013 

Hi,

Seems to work with this version. CAs are loaded on the fly::

[root at bender test]# md5sum openconnect-f19-x64-cert-chain-from-p11
45367433204c7c7ce7a28607714a4a24 openconnect-f19-x64-cert-chain-from-p11
[root at bender test]#
[root at bender test]# ./openconnect-f19-x64-cert-chain-from-p11 -v -c 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02' https://vpn1
POST https://vpn1/
Attempting to connect to server
Using PKCS#11 certificate pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=cert;pin-source=openconnect%3a0xd807f0
PIN required for BELPIC (Basic PIN)
Enter PIN:
Using PKCS#11 key pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=private;pin-source=openconnect%3a0xd807f0
Using client certificate 'Christof Haerens (Authentication)'
Got next CA 'Citizen CA' from PKCS11
Got next CA 'Belgium Root CA2' from PKCS11
Adding supporting CA 'Citizen CA'
SSL negotiation with vpn1
Connected to HTTPS on vpn1
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 15 Nov 2013 19:04:15 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://vpn1/
SSL negotiation with vpn1
Connected to HTTPS on vpn1
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 15 Nov 2013 19:04:16 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://vpn1/+webvpn+/index.html
SSL negotiation with vpn1
Connected to HTTPS on vpn1
Got HTTP response: HTTP/1.1 200 OK


On 11/15/2013 07:15 PM, David Woodhouse wrote:
> On Fri, 2013-11-15 at 17:30 +0000, David Woodhouse wrote:
>> On Fri, 2013-11-15 at 17:27 +0000, David Woodhouse wrote:
>>> 577bb5bc78bcd48c8f3f6c77368ea428f7cbec1e  http://david.woodhou.se/openconnect-f19-x64-cert-chain-from-p11
>> Make that f063c62a8677537280f7d1f47bb28c9ab7983ef7; I just updated it.
> And with 009d5e0cd12d61485f922bf507c0cabab381423b I think I've fixed the
> endless loop you were seeing...?
>

More information about the openconnect-devel mailing list