Build of OpenConnect 7.05+ for EL6?

Oliver Hernandez mr.oliver.hernandez at gmail.com
Mon Jul 11 12:05:39 PDT 2016


(it may be a while before I get to testing that new version of libp11)

I finally got an OpenConnect RPM built that will install on my EL6
system.  But, no matter what pkcs11 URL I tried, it fails to load the
certificate after I enter my PIN.

To rule out any nuances with EL6, I installed OpenConnect on a CentOS
7 VM, and I'm getting the same error!

I'm following the how-to from here:

http://jonathonreinhart.blogspot.com/2015/01/connecting-to-cisco-asa-vpn-with-dod.html

# p11tool --list-all-certs
pkcs11:model=;manufacturer=;serial=;token=HERNANDEZ.OLIVER.xxxx.xxxx

gives me in the output the certificate I need to use to authenticate
with, the second one listed:

Object 1:
 URL: pkcs11:model=;manufacturer=;serial=;token=HERNANDEZ.OLIVER.xxx.xxxxxx;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC Email Signature Certificate
 ID: 00:02

And the result of attempting to connect:

# openconnect --no-cert-check -c
'pkcs11:token=HERNANDEZ.OLIVER.xxx.xxxxx;id=%02' foo.remotevpn.com
POST https://foo.remotevpn.com/
Attempting to connect to server 111.222.33.44:443
PIN required for HERNANDEZ.OLIVER.xxx.xxxxx
Enter PIN:
Error loading certificate from PKCS#11: The requested data were not available.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to foo.remotevpn.com
Failed to obtain WebVPN cookie
#

Thanks!

On Mon, Jul 11, 2016 at 3:31 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> I've pushed the latest version of libp11 for el6. To speed this
> inclusion, please leave some karma at:
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce3a833dca
>
> On Fri, Jul 8, 2016 at 1:40 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> On Fri, 2016-07-08 at 10:24 +0100, David Woodhouse wrote:
>>> On Fri, 2016-07-08 at 10:53 +0200, Nikos Mavrogiannopoulos wrote:
>>> > On Thu, Jul 7, 2016 at 11:20 PM, Oliver Hernandez
>>> > <mr.oliver.hernandez at gmail.com> wrote:
>>> > > I now have a need to connect to a Cisco VPN that authenticates with a
>>> > > PKCS Smart Card.  This EL6 build of OpenConnect does not have the
>>> > > PKCS#11 support.  Any chance there's an EL6 version of OpenConnect 7
>>> > > built with PKCS#11 support?  Thanks!
>>> >
>>> > No the libraries there are too old. You'll have to use RHEL7.
>>>
>>> Don't we just need to package libp11 for EPEL6?
>>
>> I made a scratch build of libp11 for EL6:
>> https://koji.fedoraproject.org/koji/taskinfo?taskID=14819597
>>
>> I installed this (and p11-kit-devel) on a CentOS 6 VM and built
>> OpenConnect. It seems to work.
>>
>> --
>> dwmw2



More information about the openconnect-devel mailing list