Openconnect supporting SafeNet eToken 5300
Dimitri Papadopoulos Orfanos
dimitri.papadopoulos at cea.fr
Wed Jun 29 01:37:39 PDT 2022
Hi,
GNUTLS_DEBUG_LEVEL has no effect because you have built OpenConnect
against OpenSSL instead of GnuTLS:
OpenConnect version v9.00
Using OpenSSL 1.1.1n 15 Mar 2022. [...]
It is probably better to compare different versions of OpenConnect built
against the same crypto library.
Dimitri
Le 29/06/2022 à 09:59, Pavel Gavronsky a écrit :
> Nikos many thanks,
>
> I tried to compare the debug output from the old and new builds.
> Indeed, there are some differences.
> Any ideas why GNUTLS_DEBUG_LEVEL flag is not working in the v9.00 release? I see no gnutls output at all, while in the previous v8.10 it was OK
>
> Thank you in advance,
> Pavel
>
>
> From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
> Sent: Tuesday, June 28, 2022 4:02 PM
> To: Pavel Gavronsky <kamm555 at hotmail.com>
> Cc: Dimitri Papadopoulos <dimitri.papadopoulos at cea.fr>; openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
> Subject: Re: Openconnect supporting SafeNet eToken 5300
>
> On Tue, Jun 28, 2022 at 3:53 PM Pavel Gavronsky <kamm555 at hotmail.com> wrote:
>>
>> Hi Dimitri,
>>
>> Sorry for the late response, I had no access to my system to try the new installation.
>>
>> Finally, I have installed 9.00:
>>
>> openconnect -V
>> OpenConnect version v9.00
>> Using OpenSSL 1.1.1n 15 Mar 2022. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, HOTP software token, TOTP software token, DTLS, ESP
>> Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
>> Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script
>>
>> Unfortunately, I am not able to connect, the following error appears when I try to use a SmartCard or USB Token:
>>
>> Failed to enumerate PKCS#11 slots
>> 140593529243456:error:81071054:PKCS#11 module:pkcs11_init_slot:Function not supported:p11_slot.c:428:
>> Loading certificate failed. Aborting.
>> Failed to complete authentication
>
> Often the creators of the proprietary pkcs11 modules make them
> implement the minimum necessary functionality to do 1-2 things and
> most other use cases will fail. It may be the same here. You can debug
> further pkcs11 by setting P11_KIT_DEBUG=all but I suspect there is
> little one can do with openconnect, as it is the pkcs11 module that
> misbehaves. You can try contacting the creator of the proprietary
> module, and if you have a (big) contract with them you may be able to
> solve it.
>
> regards,
> Nikos
More information about the openconnect-devel
mailing list