SSL connection failure: PKCS #11 error

David Woodhouse dwmw2 at
Thu Mar 7 06:36:35 PST 2024

On Wed, 2024-03-06 at 12:44 +0100, Grant Williamson wrote:
> I am attempting to transition our existing environment of signed
> Digicert certificates from RSA-4096 to ECC256. The digicert one
> signing process appears to work.
> When using a software-emulated TPM, the connection is succesful.
> When I try hardware tpm(3 laptops) I encounter the folowing problem
> ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
> SSL connection failure: PKCS #11 error.
> I have tried generating the csr to be signed using both tpm2-openssl
> and pkcs11-provider, same result.
> Maybe the following gives a clue. Any ideas?
> (openconnect with --gnutls-debug=99 -v)

I think that's a GnuTLS bug. What version of GnuTLS is it?

If you're using a Prime256 key, then the SHA512 hash ought to be
truncated to 32 bytes, and then we'd tell the TPM that it's actually a
SHA256. See;a=blob;f=gnutls_tpm2_esys.c;hb=HEAD#l487

As a nasty hack, since you know you have a 256-bit EC key (although I
didn't personally validate that assertion in your logs), can you try
hard-coding it to use TPM2_ALG_SHA256 and set digest.size=32 in
tpm2_ec_sign_hash_fn() ? 

Do this in either gnutls_tpm2_esys.c or gnutls_tpm2_ibm.c; whichever is
being used on your system. Probably the former.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list