Getting "SSL connection failure: PKCS #11 error." even when supplying the correct CA file
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Thu Sep 21 17:38:26 PDT 2017
Without using debugging tools you most likely never find the culprit. From you previous logs, the client fails at signing with rsa-sha512. A long shot may be that there is a buffer overflow somewhere due to sha512. Have you tried eliminating this signing algorithm from server (or client)?
On September 20, 2017 12:20:13 PM GMT+02:00, David Raison <david at tentwentyfour.lu> wrote:
>Hi Nikos,
>
>
>On 20/09/17 12:08, Nikos Mavrogiannopoulos wrote:
>>> Which means I'm stuck again. I have the same "SSL connection
>failure:
>>> PKCS #11 error" on debian and fedora and I have the exact same
>>> segmentation fault.
>>> The version of opensc on debian is 0.16.0-3 while the one on fedora
>is
>>> 0.17.0-1fc26
>> That doesn't matter as you don't use opensc. Most likely the crash is
>> in libgclib.so. Try running the same command under valgrind to verify
>> that. In that case, there is not much to do except reporting that to
>> the provider of the pkcs11 module (gemalto).
>
>The segfault only occurs when I use the pkcs11-spy module, not when I
>don't set LD_PRELOAD and it uses the default token module (libgclib.so)
>
>I could of course throw some additional debugging on this (valgrind,
>gdb, etc) but is it really worth the effort? Are we sure it's not a
>problem with the configuration or the remote endpoint? (Since I've seen
>it work – briefly – in the past).
>
>Regards,
>David
--
Sent from my mobile. Please excuse my brevity.
More information about the openconnect-devel
mailing list