doesnt connect with certificate

David Woodhouse dwmw2 at
Fri Dec 1 04:27:29 PST 2017

On Fri, 2017-12-01 at 12:58 +0100, Union wrote:
> In the past I could successfully connect with the pfx certificate to
> the ASA server with openconnect.
> But last couple of weeks this doesn't work anymore. It seems
> connection is established, but at the end, it just throw out the login
> entry (more details in the attachment).

I take it the certificate hasn't expired?

The primary version of OpenConnect isn't on github, btw.  I'm not sure
which one you're looking at, but it shouldn't make much difference;
this hasn't changed for a while.

One possibility is that you aren't sending the full trust chain for the
certificate. Given that your client is complaining about an "untrusted"
certificate on the server, that looks like you don't have your
corporate SSL CA installed correctly.

OpenConnect will include all indermediate CAs in its request on the
wire, if it can find them.... but in your case it won't. Sometimes, the
server admins forget to install the intermediate CAs. And sometimes,
ancient OpenSSL bugs mean that the ASA attempts to use the *wrong*
intermediate CA. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4938 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list