NetworkManager-openconnect with X.509 Certificates

Gareth Williams gareth at garethwilliams.me.uk
Sun Jan 1 06:53:49 PST 2017 

I'm trying to figure out why I can easily connect to my openconnect
server when using the command line, but cannot connect when using
NetworkManager-openconnect.

The successful command line is simply:

/usr/sbin/openconnect <hostname>:444 --certificate gareth.crt --sslkey
gareth.key --cafile cert1.crt

and I get:

POST https://<hostname>:444/
Attempting to connect to server <IP address>:444
Using client certificate 'gareth'
SSL negotiation with <hostname>
Connected to HTTPS on <hostname>
XML POST enabled
SSL negotiation with <hostname>
Connected to HTTPS on <hostname>
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
Connected tun0 as 10.1.2.32, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS1.2)-(RSA)-(AES-128-GCM).

after which, routes all look good and traceroute shows my traffic going
via the remote server.

However, if I transpose that to NetworkManager's openconnect GUI and try
to connect, it instantly fails.  I used the --cafile above for 'CA
Certificate', --certificate above for 'User Certificate' and --sslkey
for 'Private Key'.

running:

execsnoop -a16

shows that NetworkManager is running the following when I attempt to
connect:

/usr/sbin/openconnect --servercert
sha1:11e55e29dceaf27a52a039af9844c0b6d2b9abda --syslog --cookie-on-stdin
--script
/usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper
--interface vpn0 <IP address>:444

I noticed that there is no mention of certificates in that command.

I ran that command manually and I get nothing out other than:

Failed to get a WebVPN cookie.

I then removed the --syslog and now I get more:

POST https://<IP address>:444/
Attempting to connect to server <IP address>:444
SSL negotiation with <IP address>
Server certificate verify failed: signer not found
SSL connection failure: Error in the pull function.
Failed to open HTTPS connection to <IP address>
Failed to obtain WebVPN cookie

Adding multiple -v options doesn't show any more information.

Getting hold of a WebVPN Cookie by adding the --authenticate to the
successful manual command line above and passing that using echo to the
above simply removes the 'Failed to obtain WebVPN cookie' message. Still
no connection.

Appending the three X.509 related command line options to the failing NM
one, gives me:

Attempting to connect to server <IP address>:444
Using client certificate 'gareth'
SSL negotiation with <IP address>
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on <IP address>
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Creating SSL connection failed

which is better, but not correct.

Removing the --cookie-on-stdin finally gets me connected:

POST https://<IP address>:444/
Attempting to connect to server <IP address>:444
Using client certificate 'gareth'
SSL negotiation with <IP address>
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on <IP address>
XML POST enabled
SSL negotiation with <IP address>
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on <IP address>
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400

** (process:23870): WARNING **: Could not send configuration
information: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The
name org.freedesktop.NetworkManager.openconnect was not provided by any
.service files
Connected vpn0 as 10.1.2.32, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS1.2)-(RSA)-(AES-128-GCM).

Now.  I'm certain that I'm not the only person to ever attempt to
connect to ocserv using NetworkManager-openconnect and X.509
certificates.  That leads me to believe that the software is good and
that I'm missing a trick somewhere.  I've scratched my head for a day or
so trying to figure this out, but I'm stumped by the strange command
executed by NetworkManager and am worried that I've gone down a rabbit
hole with this.

For info, I'm using network-manager-openconnect_1.2.2-1_amd64.deb and
openconnect_7.06-2build3_amd64.deb at the client (on Ubuntu 16.10) and
on the server, ocserv is 0.11.6 running on CentOS-7

Can someone kindly point me back onto the correct track?

Thanks in advance,

Gareth


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3849 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170101/ee05b3a1/attachment.p7s>

More information about the openconnect-devel mailing list