Can't make certificate auth work
Dangyi Liu
leedypku at gmail.com
Wed Sep 16 08:20:15 PDT 2015
Hi,
I have successfully made password authentication work with iOS AnyConnect and ocserv 0.10.8. But when I try to change to certificate authentication, it complains
client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
I followed every instruction in http://www.infradead.org/ocserv/manual.html. However, when I execute "certtool --to-p12”, it prompts "Enter a name for the key: “ which is not mentioned in manual. Is it related to my problem? Or maybe I just have a wrong config?
Following are my config and log.
[config]
auth = "certificate"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/ssl/private/my-server-cert.pem
server-key = /etc/ssl/private/my-server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
[/config]
[log]
# ocserv -f -d 99
Setting 'certificate' as primary authentication method
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[15023]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[15023]: main: initialized ocserv 0.10.8
ocserv[15024]: sec-mod: reading supplemental config from files
ocserv[15024]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.15023)
ocserv[15024]: sec-mod: received request from pid 15023 and uid 0
ocserv[15024]: sec-mod: cmd [size=55] sm: sign
ocserv[15023]: main: processed 1 CA certificate(s)
ocserv[15023]: main: added 1 points (total 1) for IP '162.105.233.177' to ban list
ocserv[15025]: worker: accepted connection
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Allocating epoch #0
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_constate.c:586
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Allocating epoch #1
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_buffers.c:1104
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: SSL 3.1 Handshake packet received. Epoch 0, length: 167
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Expected Packet Handshake(22)
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Received Packet Handshake(22) with length: 167
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Decrypted Packet[0] Handshake(22) with length: 167
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: CLIENT HELLO (1) was received. Length 163[163], frag offset 0, frag length: 163, sequence: 0
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Client's version: 3.3
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_db.c:263
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Parsing extension 'SERVER NAME/0' (16 bytes)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SUPPORTED ECC POINT FORMATS/11'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SUPPORTED ECC/10'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SIGNATURE ALGORITHMS/13'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SERVER NAME/0'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SUPPORTED ECC POINT FORMATS/11'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SUPPORTED ECC/10'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SIGNATURE ALGORITHMS/13'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Found extension 'SERVER NAME/0'
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Parsing extension 'SUPPORTED ECC POINT FORMATS/11' (4 bytes)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Parsing extension 'SUPPORTED ECC/10' (10 bytes)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Selected ECC curve SECP521R1 (4)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Parsing extension 'SIGNATURE ALGORITHMS/13' (28 bytes)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (0.0) (null)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (4.1) RSA-SHA256
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (5.1) RSA-SHA384
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (6.1) RSA-SHA512
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (3.1) RSA-SHA224
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (2.1) RSA-SHA1
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (1.1) RSA-MD5
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (2.2) DSA-SHA1
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (4.3) ECDSA-SHA256
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (5.3) ECDSA-SHA384
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (6.3) ECDSA-SHA512
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (3.3) ECDSA-SHA224
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: rcvd signature algo (2.3) ECDSA-SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Received safe renegotiation CS
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Requested PK algorithm: EC (4) -- ctype: X.509 (1)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: certificate[0] PK algorithm: RSA (1) - ctype: X.509 (1)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Requested PK algorithm: RSA (1) -- ctype: X.509 (1)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: certificate[0] PK algorithm: RSA (1) - ctype: X.509 (1)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: ECDHE_ECDSA_ARCFOUR_128_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: ECDHE_RSA_ARCFOUR_128_SHA1 (C0.11)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_ARCFOUR_128_SHA1 (00.05)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Keeping ciphersuite: RSA_ARCFOUR_128_MD5 (00.04)
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_128_GCM_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_256_GCM_SHA384
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3349
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_128_GCM_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_256_GCM_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Removing ciphersuite: DHE_DSS_ARCFOUR_128_SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Requested cipher suites[size: 48]:
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Selected cipher suite: ECDHE_RSA_AES_128_GCM_SHA256
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Selected Compression Method: NULL
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: Safe renegotiation succeeded
ocserv[15025]: TLS[<3>]: ASSERT: status_request.c:218
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Sending extension SAFE RENEGOTIATION (1 bytes)
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: SessionID: c4a9a99462bfd614b1b25f48f6d58728c142e29b37af46618fb964a5570aaa9d
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: SERVER HELLO was queued [87 bytes]
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: CERTIFICATE was queued [879 bytes]
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: signing handshake data: using RSA-SHA256
ocserv[15024]: sec-mod: received request from pid 15025 and uid 65534
ocserv[15024]: sec-mod: cmd [size=55] sm: sign
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: SERVER KEY EXCHANGE was queued [401 bytes]
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (4.1) RSA-SHA256
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (4.2) DSA-SHA256
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (4.3) ECDSA-SHA256
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (5.1) RSA-SHA384
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (5.3) ECDSA-SHA384
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (6.1) RSA-SHA512
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (6.3) ECDSA-SHA512
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (3.1) RSA-SHA224
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (3.2) DSA-SHA224
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (3.3) ECDSA-SHA224
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (2.1) RSA-SHA1
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (2.2) DSA-SHA1
ocserv[15025]: TLS[<4>]: EXT[0x83c3260]: sent signature algo (2.3) ECDSA-SHA1
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: CERTIFICATE REQUEST was queued [78 bytes]
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: SERVER HELLO DONE was queued [4 bytes]
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Preparing Packet Handshake(22) with length: 87 and min pad: 0
ocserv[15025]: TLS[<9>]: ENC[0x83c3260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Sent Packet[1] Handshake(22) in epoch 0 and length: 92
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Preparing Packet Handshake(22) with length: 879 and min pad: 0
ocserv[15025]: TLS[<9>]: ENC[0x83c3260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Sent Packet[2] Handshake(22) in epoch 0 and length: 884
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Preparing Packet Handshake(22) with length: 401 and min pad: 0
ocserv[15025]: TLS[<9>]: ENC[0x83c3260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Sent Packet[3] Handshake(22) in epoch 0 and length: 406
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Preparing Packet Handshake(22) with length: 78 and min pad: 0
ocserv[15025]: TLS[<9>]: ENC[0x83c3260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Sent Packet[4] Handshake(22) in epoch 0 and length: 83
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Preparing Packet Handshake(22) with length: 4 and min pad: 0
ocserv[15025]: TLS[<9>]: ENC[0x83c3260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Sent Packet[5] Handshake(22) in epoch 0 and length: 9
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_buffers.c:1104
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: SSL 3.3 Handshake packet received. Epoch 0, length: 1079
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Expected Packet Handshake(22)
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Received Packet Handshake(22) with length: 1079
ocserv[15025]: TLS[<5>]: REC[0x83c3260]: Decrypted Packet[1] Handshake(22) with length: 1079
ocserv[15025]: TLS[<4>]: HSK[0x83c3260]: CERTIFICATE (11) was received. Length 1075[1075], frag offset 0, frag length: 1075, sequence: 0
ocserv[15025]: TLS[<3>]: ASSERT: extensions.c:65
ocserv[15025]: TLS[<3>]: ASSERT: status_request.c:369
ocserv[15025]: TLS[<3>]: ASSERT: verify.c:605
ocserv[15025]: TLS[<3>]: ASSERT: verify.c:953
ocserv[15025]: TLS[<3>]: ASSERT: verify.c:605
ocserv[15025]: TLS[<3>]: ASSERT: verify.c:953
ocserv[15025]: worker: client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
ocserv[15025]: TLS[<3>]: ASSERT: gnutls_handshake.c:3166
ocserv[15025]: GnuTLS error (at worker-vpn.c:468): Error in the certificate.
ocserv[15023]: main: 162.105.233.177:52711 command socket closed
ocserv[15023]: main: 162.105.233.177:52711 user disconnected
ocserv[15023]: main: added 1 points (total 2) for IP '162.105.233.177' to ban list
————snip————
[/log]
Thanks,
Dangyi Liu
More information about the openconnect-devel
mailing list