Hello,
I am using Openconnect with PULSE appliance where the authentication is done by
SmartCard (ACS ACR39U ICC Reader). The connection is established without any
issue.
When trying to use SafeNet USB eToken 5300 - there is an error "Loading
certificate failed. Aborting. Failed to obtain WebVPN cookie".
$ uname -a
Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64
GNU/Linux
Debugging info (GNUTLS_DEBUG_LEVEL=9):
/usr/sbin/openconnect -V
OpenConnect version v8.10-2+b1
Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert
"pin-sha256:xxxxcXCTMPxxx" -c
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert'
-vvv
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
Attempting to connect to server x.x.x.x:443
Connected to x.x.x.x:443
Using PKCS#11 certificate
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Initializing module: opensc-pkcs11
gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
PIN required for xxx
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT:
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT:
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Trying PKCS#11 key URL
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT:
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Error importing PKCS#11 URL
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private:
The requested data were not available.
Loading certificate failed. Aborting.
Failed to obtain WebVPN cookie
pkcs11-tool --module /usr/lib/libeToken.so --list-token-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
token label : xxxx
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized,
other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : xxxx39
pin min/max : 4/16
Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
token label : GSTEST01
token manufacturer : SafeNet, Inc.
token model : eToken
token flags : login required, rng, token initialized, PIN initialized,
other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : xx
pin min/max : 8/20
pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 0
Using slot with ID 0x0
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
SHA-1: OK
Signatures (currently only for RSA)
testing key 0 ()
ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 1
Using slot with ID 0x1
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
SHA-1: OK
Signatures (currently only for RSA)
testing key 0 (No Friendly Name Available)
ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
testing signature mechanisms:
RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
testing key 0 (No Friendly Name Available)
RSA-PKCS: OK
Decryption (currently only for RSA)
testing key 0 (No Friendly Name Available)
-- mechanism can't be used to decrypt, skipping
-- mechanism can't be used to decrypt, skipping
-- mechanism can't be used to decrypt, skipping
-- mechanism can't be used to decrypt, skipping
-- mechanism can't be used to decrypt, skipping
-- mechanism can't be used to decrypt, skipping
RSA-PKCS: OK
RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0,
source_ptr=(nil), source_len=0
OK
1 errors
Any ideas?
Thank you in advance,
Pavel
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
