Openconnect supporting SafeNet eToken 5300

Pavel Gavronsky kamm555 at hotmail.com
Tue Jun 28 06:52:53 PDT 2022


Hi Dimitri,

Sorry for the late response, I had no access to my system to try the new installation.

Finally, I have installed 9.00:

openconnect -V
OpenConnect version v9.00
Using OpenSSL 1.1.1n  15 Mar 2022. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, HOTP software token, TOTP software token, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script

Unfortunately, I am not able to connect, the following error appears when I try to use a SmartCard or USB Token:

Failed to enumerate PKCS#11 slots
140593529243456:error:81071054:PKCS#11 module:pkcs11_init_slot:Function not supported:p11_slot.c:428:
Loading certificate failed. Aborting.
Failed to complete authentication


Both SmartCard and USB Token are connected and available:

#  pkcs11-tool --module /usr/lib/libeTokenHID.so -L
Available slots:
Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
  token label        : xxxx
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 09E8xxxxx3E3xxx9
  pin min/max        : 4/16
Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
  token label        : xxxxxx
  token manufacturer : SafeNet, Inc.
  token model        : eToken
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 02xxxxeb42
  pin min/max        : 8/20
Slot 2 (0x2):
  (empty)
Slot 3 (0x3):
  (empty)
Slot 4 (0x4):
  (empty)
Slot 5 (0x5):
  (empty)
Slot 6 (0x6):
  (empty)
Slot 7 (0x7):
  (empty)


I am attaching the ldd output for the reference:

ldd /usr/local/sbin/openconnect
        linux-vdso.so.1 (0x00007fffc95db000)
        libopenconnect.so.5 => /usr/local/lib/libopenconnect.so.5 (0x00007fdb79531000)
        libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fdb79383000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdb791be000)
        libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fdb7912b000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fdb78e37000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fdb78e1a000)
        libp11.so.3 => /lib/x86_64-linux-gnu/libp11.so.3 (0x00007fdb78e07000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fdb78cc3000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdb78cbd000)
        libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007fdb78ad4000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fdb78aac000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fdb795ca000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fdb78a8a000)
        libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007fdb76f6f000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fdb76da2000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fdb76d88000)


Thank you,
Pavel

From: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>
Sent: Thursday, June 23, 2022 7:06 PM
To: Pavel Gavronsky <kamm555 at hotmail.com>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300 
 
Hi Pavel,

How did you try to build OpenConnect 9.01? These instructions should 
work on any Linux distribution:
        [download source code, unpack in a folder, enter that folder]
        ./configure
        make
provided these requirements are met:
        https://www.infradead.org/openconnect/building.html

The error message you show us might be caused by a previous error that 
we do not see. A full build log would help (add it to issue 
https://gitlab.com/openconnect/openconnect/-/issues/242). Also which 
Linux distribution are you building on?

Dimitri

Le 23/06/2022 à 15:27, Pavel Gavronsky a écrit :
> Hi Dmitri,
> 
> Thank you for the reply.
> 
> I tried to install the latest openconnect version, however when "make" the build the following error appeared:
> 
> make[1]: *** No rule to make target '../libopenconnect.la', needed by 'serverhash'.  Stop.
> make[1]: Leaving directory '/tmp/openconnect-9.01/tests'
> make: *** [Makefile:1749: check-recursive] Error 1
> 
> 
> I will try to install other releases  which are newer than I have currently.
> 
> Regards,
> Pavel
> 
> From: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>
> Sent: Tuesday, June 21, 2022 6:41 PM
> To: Pavel Gavronsky <kamm555 at hotmail.com>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
> Subject: Re: Openconnect supporting SafeNet eToken 5300
>   
> Hi,
> 
> Is this issue identical to that one filed a year ago?
> 
>          https://gitlab.com/openconnect/openconnect/-/issues/242
> 
> Have you tried a newer version of OpenConnect as suggested in this issue?
> 
> Best Regards,
> Dimitri
> 
> Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :
>> Hello,
>>
>> I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
>> When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".
>>
>> $ uname -a
>> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
>>
>> Debugging info (GNUTLS_DEBUG_LEVEL=9):
>>
>> /usr/sbin/openconnect -V
>> OpenConnect version v8.10-2+b1
>> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
>> Supported protocols: anyconnect (default), nc, gp, pulse
>>
>> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
>> gnutls[2]: Enabled GnuTLS 3.7.1 logging...
>> gnutls[2]: getrandom random generator was detected
>> gnutls[2]: Intel SSSE3 was detected
>> gnutls[2]: Intel AES accelerator was detected
>> gnutls[2]: Intel GCM accelerator was detected
>> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
>> Attempting to connect to server x.x.x.x:443
>> Connected to x.x.x.x:443
>> Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
>> gnutls[2]: Initializing all PKCS #11 modules
>> gnutls[2]: p11: Initializing module: p11-kit-trust
>> gnutls[2]: p11: Initializing module: opensc
>> gnutls[2]: p11: Initializing module: opensc-pkcs11
>> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> PIN required for xxx
>> Enter PIN:
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> gnutls[2]: p11: No login requested.
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
>> gnutls[2]: p11: Login result = ok (0)
>> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
>> Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
>> Loading certificate failed. Aborting.
>> Failed to obtain WebVPN cookie
>>
>>
>>
>>
>> pkcs11-tool --module /usr/lib/libeToken.so  --list-token-slots
>> Available slots:
>> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
>>      token label        : xxxx
>>      token manufacturer : Gemalto
>>      token model        : ID Prime MD
>>      token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>>      hardware version   : 0.0
>>      firmware version   : 0.0
>>      serial num         : xxxx39
>>      pin min/max        : 4/16
>> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
>>      token label        : GSTEST01
>>      token manufacturer : SafeNet, Inc.
>>      token model        : eToken
>>      token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>>      hardware version   : 0.0
>>      firmware version   : 0.0
>>      serial num         : xx
>>      pin min/max        : 8/20
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 0
>> Using slot with ID 0x0
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>>      seems to be OK
>> Digests:
>>      all 4 digest functions seem to work
>>      SHA-1: OK
>> Signatures (currently only for RSA)
>>      testing key 0 ()
>>      ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>> Aborting.
>>
>>
>> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 1
>> Using slot with ID 0x1
>> Logging in to "xxxx".
>> Please enter User PIN:
>> C_SeedRandom() and C_GenerateRandom():
>>      seems to be OK
>> Digests:
>>      all 4 digest functions seem to work
>>      SHA-1: OK
>> Signatures (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>      ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>>      testing signature mechanisms:
>>        RSA-PKCS: OK
>>        SHA256-RSA-PKCS: OK
>> Verify (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>        RSA-PKCS: OK
>> Decryption (currently only for RSA)
>>      testing key 0 (No Friendly Name Available)
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>     -- mechanism can't be used to decrypt, skipping
>>        RSA-PKCS: OK
>>        RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
>> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
>> OK
>> 1 errors
>>
>>
>> Any ideas?
>>
>> Thank you in advance,
>> Pavel
>> _______________________________________________
>> openconnect-devel mailing list
>> openconnect-devel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/openconnect-devel


More information about the openconnect-devel mailing list