Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file
David Raison
david at tentwentyfour.lu
Fri Apr 28 02:00:41 PDT 2017
Hi,
I've had trouble connecting to a VPN using openconnect since some
unknown change either on the server side (new certificate) or the client
side (updated ca-certificates package maybe), I haven't been able to
figure this out.
Basically, the symptoms are an SSL connection failure in openconnect:
> Using client certificate 'My name'
> Got no issuer from PKCS#11
> SSL negotiation with vpn.host.tld
> Connected to HTTPS on vpn.host.tld
> Got HTTP response: HTTP/1.1 200 OK
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Cache-Control: no-cache
> Pragma: no-cache
> Connection: Keep-Alive
> Date: Fri, 28 Apr 2017 08:14:48 GMT
> X-Frame-Options: SAMEORIGIN
> X-Aggregate-Auth: 1
> HTTP body chunked (-2)
> POST https://vpn.host.tld/
> SSL negotiation with vpn.host.tld
> SSL connection failure: PKCS #11 error.
> Failed to open HTTPS connection to vpn.host.tld
> Failed to obtain WebVPN cookie
>
I also tried it using the AnyConnect client for Linux and it would also
say "Certificate validation error".
So after much ranting and giving up for a while, I retried today and
found a working solution for the AnyConnect client here:
http://blog.bstpierre.org/fixing-certificate-errors-with-cisco-anyconnect
The server certificate for vpn.host.tld is signed by the DigiCert CA:
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
> Extended Validation Server CA
So I exported the .pem from Firefox's certificates to
/opt/.cisco/certificates and with that, the AnyConnect client started
working.
I tried the same with openconnect, in two ways:
1) Copying the pem to /etc/ssl/certs/ and
2) Specifying it directly passing the --cafile parameter to openconnect
> openconnect -v --no-system-trust
> --cafile=/etc/ssl/certs/DigiCert_SHA2_Extended_Validation_Server_CA.pem
> --script /root/vpnc-script -c 'pkcs11:model=Classic…' https://vpn.host.tld
… but to no avail.
Does someone have an idea why the above-mentioned solution would work
for the anyconnect client, but not for openconnect?
Best regards,
David
--
TenTwentyFour S.à r.l.
W: www.tentwentyfour.lu
T: +352 20 211 1024
F: +352 20 211 1023
9 av. des Hauts-Fourneaux
4362 Esch-sur-Alzette
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170428/ac74a282/attachment.sig>
More information about the openconnect-devel
mailing list