Openconnect no-xmlpost

David Woodhouse dwmw2 at
Wed Nov 5 03:07:01 PST 2014

On Wed, 2014-11-05 at 11:50 +0100, Nikos Mavrogiannopoulos wrote:
> On Wed, Nov 5, 2014 at 10:48 AM, David Woodhouse <dwmw2 at> wrote:
> >> I tested this by editing the wrapperscript and adding an  'echo
> >> "Arguments: $ARGS" >> /tmp/foo' . It seems the wrapperscript isnt
> >> being run at all on the cases where it is not working cause nothing is
> >> being written to /tmp/foo . When its working it looks like this:
> >> -log debug -ticket "XXXXXXXXX" -stub "0" -group "" -host
> >> "" -certhash "XXXXXXXXX:�
> >> ��ef�,�K^z��11T�ҪD "
> > That -certhash argument looks horribly wrong. This ought to fix it but I
> > can't easily test because for me, gnutls_certificate_get_ours() is
> > returning failure (both for file and PKCS#11 certs). Got to run now;
> > will hassle Nikos about that later :)
> That prompted me to add a unit test and realized it works ok. My
> understanding of the cisco server is that it requires and asks the
> certificate once, on the first connection to the server (i.e., the one
> that gets the cookie). After that you can establish new ssl
> connections with the cookie without the certificate. Could that issue
> be because of that (e.g., no hash to supply to the script)?

Yeah, I'm just looking at it now. If we *do* get asked for the client
cert, then gnutls_certificate_get_ours() returns it. If we happen to
have *not* been asked for the certificate on the latest connection to
the server, then gnutls_certificate_get_ours() doesn't do what we want.

I think I need a way to return the hash of the certificate which we
*would* have offered, if the server had asked for it. Which might mean
precalculating it in our load_certificate() function.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list