On Wed, 2022-05-04 at 10:23 +0000, Schütz Dominik wrote: > dominik at host1:~$ sudo openconnect --script=/root/vpnc-script > --certificate=/var/lib/802.1x/host1.pem --sslkey=/usr/local/wlan/host1.key > --protocol=pulse "https://vpn-gateway/linux"; > Connected to xxx.xxx.xxx.xxx:443 > Using client certificate 'HOST1' > SSL negotiation with vpn-gateway > Connected to HTTPS on vpn-gateway with ciphersuite > (TLS1.2)-(RSA)-(AES-128-GCM) > Got HTTP response: HTTP/1.1 101 Switching Protocols > Bad EAP-TTLS packet (len 93, left 0) > Failed to establish EAP-TTLS session > Failed to complete authentication > dominik at host1:~$
I suspect that isn't really related to TPMv2 but actually affects all certificate authentication? Are you able to test with a certificate from a plain file? Probably doesn't even matter if it's a *valid* one since I don't think you're getting that far. The Pulse protocol is kind of weird here. It tunnels a TLS negotiation (EAP-TTLS) within multiple layers of binary protocols inside the original TLS connection to the server. Depending on the client version that we pretend to be, it might even attempt to tunnel EAP-TLS *within* EAP-TTLS, which is entirely bizarre. Can you run with '-vv --dump-http-traffic' and show me the full session until it gets to that point please? Probably best to do that off-list.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
