Problem with cisco anyconnect vpn with certificate on pkcs11

Noel Dieschburg noel at cblue.be
Fri Sep 22 05:10:17 PDT 2017


Hello all, 

I have a problem using openconnect to connect to a cisco anyconnect vpn
with a certificate on a smartcard. 

Here is my configuration : 

* Arch Linux
* Openconnect : Version v7.08 de OpenConnect
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP
software token, Yubikey OATH, System keys, DTLS
* Luxtrust java middleware and gemalto driver for smartcard. 

It asks me my pin code and almost connect but throws a SSL connection
failure: PKCS #11 erreur.

openconnect --gnutls-debug=99 -v -c
'pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079
F5C5CD6;token=GemP15-
1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;objec
t=User%20Cert%20Auth;type=cert' https://vpn.example.com

Attached, you'll find my full log. 

Does someone have an idea? I don't master openssl enough to debug that.

Thank you very much in advance. 

Best regards. 

Noel Dieschburg
-------------- next part --------------
POST https://vpn.example.com/
Attempting to connect to server XXX.XXX.XX.XX:443
Connected to XXX.XXX.XX.XX:443
Initializing PKCS #11 modules
p11: Initializing module: p11-kit-trust
p11: Initializing module: beid
p11: Initializing module: gnome-keyring
p11: Initializing module: libclassicclient
ASSERT: pkcs11.c[compat_load]:685
p11: No login requested.
p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
p11 attrs: CKA_TRUSTED
p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
p11: No login requested.
p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
p11 attrs: CKA_TRUSTED
p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
ASSERT: pkcs11.c[find_objs_cb]:2766
ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3087
Using PKCS#11 certificate pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079F5C5CD6;token=GemP15-1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;object=User%20Cert%20Auth;type=cert
p11: No login requested.
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
PIN required for GemP15-1
Enter PIN:
p11: Login result = ok (0)
Using PKCS#11 key pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=509500079F5C5CD6;token=GemP15-1;id=%69%eb%a2%99%e5%f2%80%ef%82%62%f8%d2%e7%c5%1a%5f%43%06%3d%ac;object=User%20Cert%20Auth;type=private
Using client certificate 'Noël Guy B Dieschburg'
ASSERT: common.c[x509_read_value]:698
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3814
ASSERT: verify-high.c[gnutls_x509_trust_list_get_issuer]:969
ASSERT: common.c[x509_read_value]:698
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3814
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110
ASSERT: x509.c[get_alt_name]:1701
ASSERT: str-idna.c[gnutls_idna_map]:297
unable to convert hostname Noël Guy B Dieschburg to IDNA format
REC[0x197e720]: Allocating epoch #0
Négociation SSL avec vpn.example.com
ASSERT: constate.c[_gnutls_epoch_get]:600
REC[0x197e720]: Allocating epoch #1
HSK[0x197e720]: Adv. version: 3.3
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 (CC.A9)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CHACHA20_POLY1305 (CC.A8)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CHACHA20_POLY1305 (CC.AA)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
HSK[0x197e720]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
EXT[0x197e720]: Sending extension OCSP Status Request (5 bytes)
HSK[0x197e720]: sent server name: 'vpn.example.com'
EXT[0x197e720]: Sending extension Server Name Indication (16 bytes)
EXT[0x197e720]: Sending extension Safe Renegotiation (1 bytes)
EXT[0x197e720]: Sending extension Session Ticket (0 bytes)
EXT[0x197e720]: Sending extension Supported curves (12 bytes)
EXT[0x197e720]: Sending extension Supported ECC Point Formats (2 bytes)
EXT[0x197e720]: sent signature algo (4.1) RSA-SHA256
EXT[0x197e720]: sent signature algo (4.3) ECDSA-SHA256
EXT[0x197e720]: sent signature algo (5.1) RSA-SHA384
EXT[0x197e720]: sent signature algo (5.3) ECDSA-SHA384
EXT[0x197e720]: sent signature algo (6.1) RSA-SHA512
EXT[0x197e720]: sent signature algo (6.3) ECDSA-SHA512
EXT[0x197e720]: sent signature algo (3.1) RSA-SHA224
EXT[0x197e720]: sent signature algo (3.3) ECDSA-SHA224
EXT[0x197e720]: sent signature algo (2.1) RSA-SHA1
EXT[0x197e720]: sent signature algo (2.3) ECDSA-SHA1
EXT[0x197e720]: Sending extension Signature Algorithms (22 bytes)
HSK[0x197e720]: CLIENT HELLO was queued [245 bytes]
HWRITE: enqueued [CLIENT HELLO] 245. Total 245 bytes.
HWRITE FLUSH: 245 bytes in buffer.
REC[0x197e720]: Preparing Packet Handshake(22) with length: 245 and min pad: 0
ENC[0x197e720]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
WRITE: enqueued 250 bytes for 0x5. Total 250 bytes.
REC[0x197e720]: Sent Packet[1] Handshake(22) in epoch 0 and length: 250
HWRITE: wrote 1 bytes, 0 bytes left.
WRITE FLUSH: 250 bytes in buffer.
WRITE: wrote 250 bytes, 0 bytes left.
ASSERT: buffers.c[get_last_packet]:1159
READ: Got 5 bytes from 0x5
READ: read 5 bytes from 0x5
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 85
REC[0x197e720]: Expected Packet Handshake(22)
REC[0x197e720]: Received Packet Handshake(22) with length: 85
READ: Got 85 bytes from 0x5
READ: read 85 bytes from 0x5
RB: Have 5 bytes into buffer. Adding 85 bytes.
RB: Requested 90 bytes
REC[0x197e720]: Decrypted Packet[0] Handshake(22) with length: 85
BUF[REC]: Inserted 85 bytes of Data(22)
HSK[0x197e720]: SERVER HELLO (2) was received. Length 81[81], frag offset 0, frag length: 81, sequence: 0
HSK[0x197e720]: Server's version: 3.3
HSK[0x197e720]: SessionID length: 32
HSK[0x197e720]: SessionID: bc129069c761404444863136a5488f470a60b9979154cf314eb58f00a8aa6bb1
HSK[0x197e720]: Selected cipher suite: DHE_RSA_AES_256_CBC_SHA1
HSK[0x197e720]: Selected compression method: NULL (0)
EXT[0x197e720]: Parsing extension 'Server Name Indication/0' (0 bytes)
EXT[0x197e720]: Parsing extension 'Safe Renegotiation/65281' (1 bytes)
HSK[0x197e720]: Safe renegotiation succeeded
ASSERT: buffers.c[get_last_packet]:1159
READ: Got 5 bytes from 0x5
READ: read 5 bytes from 0x5
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 4491
REC[0x197e720]: Expected Packet Handshake(22)
REC[0x197e720]: Received Packet Handshake(22) with length: 4491
READ: Got 1333 bytes from 0x5
READ: Got 1428 bytes from 0x5
READ: Got 1428 bytes from 0x5
READ: Got 302 bytes from 0x5
READ: read 4491 bytes from 0x5
RB: Have 5 bytes into buffer. Adding 4491 bytes.
RB: Requested 4496 bytes
REC[0x197e720]: Decrypted Packet[1] Handshake(22) with length: 4491
BUF[REC]: Inserted 4491 bytes of Data(22)
HSK[0x197e720]: CERTIFICATE (11) was received. Length 4487[4487], frag offset 0, frag length: 4487, sequence: 0
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: common.c[x509_read_value]:698
ASSERT: common.c[x509_read_value]:698
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: common.c[x509_read_value]:698
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: verify.c[verify_crt]:604
GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
ASSERT: verify.c[is_level_acceptable]:429
ASSERT: verify.c[verify_crt]:714
ASSERT: verify.c[verify_crt]:743
ASSERT: verify.c[_gnutls_verify_crt_status]:913
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: verify.c[verify_crt]:604
GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
ASSERT: verify.c[is_level_acceptable]:429
ASSERT: verify.c[verify_crt]:714
ASSERT: verify.c[verify_crt]:743
ASSERT: verify.c[_gnutls_verify_crt_status]:913
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
crt_is_known: did not find cert, using issuer DN + serial, using DN only
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108
crt_is_known: did not find any cert
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
crt_is_known: did not find cert, using issuer DN + serial, using DN only
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108
crt_is_known: did not find any cert
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
crt_is_known: did not find cert, using issuer DN + serial, using DN only
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108
crt_is_known: did not find any cert
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
crt_is_known: did not find cert, using issuer DN + serial, using DN only
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4095
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
ASSERT: pkcs11.c[find_cert_cb]:3555
ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4108
crt_is_known: did not find any cert
ASSERT: common.c[x509_read_value]:698
p11: No login requested.
ASSERT: pkcs11.c[find_cert_cb]:3730
p11: No login requested.
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: common.c[x509_read_value]:698
looking for key purpose '1.3.6.1.5.5.7.3.1', but have '1.3.6.1.5.5.7.3.4'
ASSERT: common.c[x509_read_value]:698
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
ASSERT: common.c[x509_read_value]:698
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: mpi.c[_gnutls_x509_read_uint]:246
ASSERT: common.c[x509_read_value]:698
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
ASSERT: extensions.c[_gnutls_get_extension]:65
ASSERT: buffers.c[get_last_packet]:1159
READ: Got 5 bytes from 0x5
READ: read 5 bytes from 0x5
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 1039
REC[0x197e720]: Expected Packet Handshake(22)
REC[0x197e720]: Received Packet Handshake(22) with length: 1039
READ: Got 1039 bytes from 0x5
READ: read 1039 bytes from 0x5
RB: Have 5 bytes into buffer. Adding 1039 bytes.
RB: Requested 1044 bytes
REC[0x197e720]: Decrypted Packet[2] Handshake(22) with length: 1039
BUF[REC]: Inserted 1039 bytes of Data(22)
HSK[0x197e720]: SERVER KEY EXCHANGE (12) was received. Length 1035[1035], frag offset 0, frag length: 1035, sequence: 0
ASSERT: extensions.c[_gnutls_get_extension]:65
HSK[0x197e720]: verify handshake data: using RSA-SHA512
ASSERT: buffers.c[get_last_packet]:1159
READ: Got 5 bytes from 0x5
READ: read 5 bytes from 0x5
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x197e720]: SSL 3.3 Handshake packet received. Epoch 0, length: 1015
REC[0x197e720]: Expected Packet Handshake(22)
REC[0x197e720]: Received Packet Handshake(22) with length: 1015
READ: Got 1015 bytes from 0x5
READ: read 1015 bytes from 0x5
RB: Have 5 bytes into buffer. Adding 1015 bytes.
RB: Requested 1020 bytes
REC[0x197e720]: Decrypted Packet[3] Handshake(22) with length: 1015
BUF[REC]: Inserted 1015 bytes of Data(22)
HSK[0x197e720]: CERTIFICATE REQUEST (13) was received. Length 1007[1011], frag offset 0, frag length: 1007, sequence: 0
EXT[0x197e720]: rcvd signature algo (6.1) RSA-SHA512
EXT[0x197e720]: rcvd signature algo (6.2) DSA-SHA512
EXT[0x197e720]: rcvd signature algo (6.3) ECDSA-SHA512
EXT[0x197e720]: rcvd signature algo (5.1) RSA-SHA384
EXT[0x197e720]: rcvd signature algo (5.2) DSA-SHA384
EXT[0x197e720]: rcvd signature algo (5.3) ECDSA-SHA384
EXT[0x197e720]: rcvd signature algo (4.1) RSA-SHA256
EXT[0x197e720]: rcvd signature algo (4.2) DSA-SHA256
EXT[0x197e720]: rcvd signature algo (4.3) ECDSA-SHA256
EXT[0x197e720]: rcvd signature algo (2.1) RSA-SHA1
EXT[0x197e720]: rcvd signature algo (2.2) DSA-SHA1
EXT[0x197e720]: rcvd signature algo (2.3) ECDSA-SHA1
ASSERT: buffers.c[get_last_packet]:1159
HSK[0x197e720]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1397
HSK[0x197e720]: CERTIFICATE was queued [1757 bytes]
HWRITE: enqueued [CERTIFICATE] 1757. Total 1757 bytes.
HSK[0x197e720]: CLIENT KEY EXCHANGE was queued [262 bytes]
HWRITE: enqueued [CLIENT KEY EXCHANGE] 262. Total 2019 bytes.
sign handshake cert vrfy: picked RSA-SHA512 with SHA512
ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign_hash]:352
ASSERT: privkey.c[gnutls_privkey_sign_hash]:1175
ASSERT: tls-sig.c[_gnutls_handshake_sign_crt_vrfy12]:580
ASSERT: cert.c[_gnutls_gen_cert_client_crt_vrfy]:1477
ASSERT: kx.c[_gnutls_send_client_certificate_verify]:369
ASSERT: handshake.c[handshake_client]:2926
SSL connection failure: PKCS #11 erreur.
REC[0x197e720]: Start of epoch cleanup
REC[0x197e720]: End of epoch cleanup
REC[0x197e720]: Epoch #0 freed
REC[0x197e720]: Epoch #1 freed
Failed to open HTTPS connection to vpn.example.com
Failed to obtain WebVPN cookie


More information about the openconnect-devel mailing list