OpenConnect v9.01 - "--protocol=pulse" does not work with TPM2

David Woodhouse dwmw2 at
Wed May 4 03:48:32 PDT 2022

On Wed, 2022-05-04 at 10:23 +0000, Schütz Dominik wrote:
> dominik at host1:~$ sudo openconnect --script=/root/vpnc-script --certificate=/var/lib/802.1x/host1.pem --sslkey=/usr/local/wlan/host1.key --protocol=pulse "https://vpn-gateway/linux"
> Connected to
> Using client certificate 'HOST1'
> SSL negotiation with vpn-gateway
> Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
> Got HTTP response: HTTP/1.1 101 Switching Protocols
> Bad EAP-TTLS packet (len 93, left 0)
> Failed to establish EAP-TTLS session
> Failed to complete authentication
> dominik at host1:~$

I suspect that isn't really related to TPMv2 but actually affects all
certificate authentication? Are you able to test with a certificate
from a plain file? Probably doesn't even matter if it's a *valid* one
since I don't think you're getting that far.

The Pulse protocol is kind of weird here. It tunnels a TLS negotiation
(EAP-TTLS) within multiple layers of binary protocols inside the
original TLS connection to the server. Depending on the client version
that we pretend to be, it might even attempt to tunnel EAP-TLS *within*
EAP-TTLS, which is entirely bizarre.

Can you run with '-vv --dump-http-traffic' and show me the full session
until it gets to that point please? Probably best to do that off-list.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list