Hi Dmitri, Thank you for the reply.
I tried to install the latest openconnect version, however when "make" the build the following error appeared: make[1]: *** No rule to make target '../libopenconnect.la', needed by 'serverhash'. Stop. make[1]: Leaving directory '/tmp/openconnect-9.01/tests' make: *** [Makefile:1749: check-recursive] Error 1 I will try to install other releases which are newer than I have currently. Regards, Pavel From: Dimitri Papadopoulos <dimitri.papadopou...@cea.fr> Sent: Tuesday, June 21, 2022 6:41 PM To: Pavel Gavronsky <kamm...@hotmail.com>; openconnect-devel@lists.infradead.org <openconnect-devel@lists.infradead.org> Subject: Re: Openconnect supporting SafeNet eToken 5300 Hi, Is this issue identical to that one filed a year ago? https://gitlab.com/openconnect/openconnect/-/issues/242 Have you tried a newer version of OpenConnect as suggested in this issue? Best Regards, Dimitri Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit : > Hello, > > I am using Openconnect with PULSE appliance where the authentication is done > by SmartCard (ACS ACR39U ICC Reader). The connection is established without > any issue. > When trying to use SafeNet USB eToken 5300 - there is an error "Loading > certificate failed. Aborting. Failed to obtain WebVPN cookie". > > $ uname -a > Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 > GNU/Linux > > Debugging info (GNUTLS_DEBUG_LEVEL=9): > > /usr/sbin/openconnect -V > OpenConnect version v8.10-2+b1 > Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, > HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse > > openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert > "pin-sha256:xxxxcXCTMPxxx" -c > 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' > -vvv > gnutls[2]: Enabled GnuTLS 3.7.1 logging... > gnutls[2]: getrandom random generator was detected > gnutls[2]: Intel SSSE3 was detected > gnutls[2]: Intel AES accelerator was detected > gnutls[2]: Intel GCM accelerator was detected > gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 > Attempting to connect to server x.x.x.x:443 > Connected to x.x.x.x:443 > Using PKCS#11 certificate > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert > gnutls[2]: Initializing all PKCS #11 modules > gnutls[2]: p11: Initializing module: p11-kit-trust > gnutls[2]: p11: Initializing module: opensc > gnutls[2]: p11: Initializing module: opensc-pkcs11 > gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896 > gnutls[2]: p11: No login requested. > Trying PKCS#11 key URL > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private > PIN required for xxx > Enter PIN: > gnutls[2]: p11: Login result = ok (0) > gnutls[3]: ASSERT: > ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 > gnutls[2]: p11: No login requested. > Trying PKCS#11 key URL > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private > gnutls[2]: p11: Login result = ok (0) > gnutls[3]: ASSERT: > ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 > Trying PKCS#11 key URL > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private > gnutls[2]: p11: Login result = ok (0) > gnutls[3]: ASSERT: > ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 > Error importing PKCS#11 URL > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: > The requested data were not available. > Loading certificate failed. Aborting. > Failed to obtain WebVPN cookie > > > > > pkcs11-tool --module /usr/lib/libeToken.so --list-token-slots > Available slots: > Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00 > token label : xxxx > token manufacturer : Gemalto > token model : ID Prime MD > token flags : login required, rng, token initialized, PIN >initialized, other flags=0x200 > hardware version : 0.0 > firmware version : 0.0 > serial num : xxxx39 > pin min/max : 4/16 > Slot 1 (0x1): ACS ACR39U ICC Reader 01 00 > token label : GSTEST01 > token manufacturer : SafeNet, Inc. > token model : eToken > token flags : login required, rng, token initialized, PIN >initialized, other flags=0x200 > hardware version : 0.0 > firmware version : 0.0 > serial num : xx > pin min/max : 8/20 > > > pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 0 > Using slot with ID 0x0 > Logging in to "xxxx". > Please enter User PIN: > C_SeedRandom() and C_GenerateRandom(): > seems to be OK > Digests: > all 4 digest functions seem to work > SHA-1: OK > Signatures (currently only for RSA) > testing key 0 () > ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6) > Aborting. > > > pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 1 > Using slot with ID 0x1 > Logging in to "xxxx". > Please enter User PIN: > C_SeedRandom() and C_GenerateRandom(): > seems to be OK > Digests: > all 4 digest functions seem to work > SHA-1: OK > Signatures (currently only for RSA) > testing key 0 (No Friendly Name Available) > ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) > testing signature mechanisms: > RSA-PKCS: OK > SHA256-RSA-PKCS: OK > Verify (currently only for RSA) > testing key 0 (No Friendly Name Available) > RSA-PKCS: OK > Decryption (currently only for RSA) > testing key 0 (No Friendly Name Available) > -- mechanism can't be used to decrypt, skipping > -- mechanism can't be used to decrypt, skipping > -- mechanism can't be used to decrypt, skipping > -- mechanism can't be used to decrypt, skipping > -- mechanism can't be used to decrypt, skipping > -- mechanism can't be used to decrypt, skipping > RSA-PKCS: OK > RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256 > OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, > source_ptr=(nil), source_len=0 > OK > 1 errors > > > Any ideas? > > Thank you in advance, > Pavel > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
