Connection Failure

Gareth Williams gareth at
Sat Jul 26 13:54:58 PDT 2014


I'm trying to connect to a OpenConnect server running on CentOS 7 on a 
remote Digital Ocean VM (this is set up purely for 
experimenting/learning purposes).  For the sake of simplicity, I've 
disabled SELinux and the firewall on the VM.

I'm using Fedora 20 as the client and attempting to set up a connection 
using Network Manager.

I'm using a self-signed CA from which I've generated the server 
certificate and key and the client certificate and key.  This was all 
done on openssl as opposed the gnutls in the example on your website - I 
hope that doesn't make a difference.

Unfortunately, I'm getting the message below when I run the server in a 
terminal with debugging enabled.

Does it mean anything to anyone?  The lines that concern me are the ones 
about obtaining the username.

The subject of the client certificate is:-

subject= /C=GB/ST=West Yorkshire/L=Otley/O=Gareth 
Williams/OU=OpenConnectClient/CN=gareth/emailAddress=gareth at

which I extracted using openssl x509 -in <cert> -noout -subject

The CN is 'gareth' and that's a user on the VM.  I'm not 100% certain I 
understand what that should be as I'm not logging in with a 

ocserv[5011]: worker: HTTP: Host: [0/1333]
ocserv[5011]: worker: HTTP: User-Agent: OpenConnect 
VPN Agent (NetworkManager) v6.00
ocserv[5011]: worker: User-agent: 'OpenConnect VPN 
Agent (NetworkManager) v6.00'
ocserv[5011]: worker: HTTP: Accept: */*
ocserv[5011]: worker: HTTP: Accept-Encoding: identity
ocserv[5011]: worker: HTTP: X-Transcend-Version: 1
ocserv[5011]: worker: HTTP GET /
ocserv[5011]: TLS[<2>]: ASSERT: dn.c:239
ocserv[5011]: worker: worker-auth.c:397: cannot 
obtain user from certificate DN: The given memory buffer is too short to 
hold parameters.
ocserv[5011]: worker: worker-auth.c:765: cannot get 
username ((null)) from certificate
ocserv[5011]: worker: cannot obtain certificate 
ocserv[5011]: TLS[<2>]: ASSERT: gnutls_buffers.c:613
ocserv[5011]: TLS[<4>]: REC: Sending Alert[1|0] - Close notify
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Preparing Packet Alert(21) with 
length: 2 and target length: 2
ocserv[5011]: TLS[<9>]: ENC[0x1b02db0]: cipher: AES-128-CBC, MAC: SHA1, 
Epoch: 1
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Sent Packet[2] Alert(21) in 
epoch 1 and length: 37
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Start of epoch cleanup
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: End of epoch cleanup
ocserv[5011]: TLS[<4>]: REC[0x1b02db0]: Epoch #1 freed
ocserv[5008]: main: main-misc.c:414: command socket 
ocserv[5008]: main: removing client '' with id '5011'

Can anyone give me some guidance as to where I've gone wrong?

Thanks in advance,


More information about the openconnect-devel mailing list