Re: Openconnect supporting SafeNet eToken 5300

Dimitri Papadopoulos Thu, 23 Jun 2022 10:07:09 -0700

Hi Pavel,

How did you try to build OpenConnect 9.01? These instructions shouldwork on any Linux distribution:

        [download source code, unpack in a folder, enter that folder]
        ./configure
        make
provided these requirements are met:
        https://www.infradead.org/openconnect/building.html

The error message you show us might be caused by a previous error thatwe do not see. A full build log would help (add it to issuehttps://gitlab.com/openconnect/openconnect/-/issues/242). Also whichLinux distribution are you building on?


Dimitri

Le 23/06/2022 à 15:27, Pavel Gavronsky a écrit :

Hi Dmitri,

Thank you for the reply.

I tried to install the latest openconnect version, however when "make" the 
build the following error appeared:

make[1]: *** No rule to make target '../libopenconnect.la', needed by 
'serverhash'.  Stop.
make[1]: Leaving directory '/tmp/openconnect-9.01/tests'
make: *** [Makefile:1749: check-recursive] Error 1


I will try to install other releases  which are newer than I have currently.

Regards,
Pavel

From: Dimitri Papadopoulos <dimitri.papadopou...@cea.fr>
Sent: Tuesday, June 21, 2022 6:41 PM
To: Pavel Gavronsky <kamm...@hotmail.com>; openconnect-devel@lists.infradead.org 
<openconnect-devel@lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300

Hi,


Is this issue identical to that one filed a year ago?

         https://gitlab.com/openconnect/openconnect/-/issues/242

Have you tried a newer version of OpenConnect as suggested in this issue?

Best Regards,
Dimitri

Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :

Hello,

I am using Openconnect with PULSE appliance where the authentication is done by 
SmartCard (ACS ACR39U ICC Reader). The connection is established without any 
issue.
When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate 
failed. Aborting. Failed to obtain WebVPN cookie".

$ uname -a
Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 
GNU/Linux

Debugging info (GNUTLS_DEBUG_LEVEL=9):

/usr/sbin/openconnect -V
OpenConnect version v8.10-2+b1
Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP 
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert 
"pin-sha256:xxxxcXCTMPxxx" -c 
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert'
 -vvv
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
Attempting to connect to server x.x.x.x:443
Connected to x.x.x.x:443
Using PKCS#11 certificate 
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Initializing module: opensc-pkcs11
gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL 
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
PIN required for xxx
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: 
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL 
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: 
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Trying PKCS#11 key URL 
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: 
../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Error importing PKCS#11 URL 
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private:
 The requested data were not available.
Loading certificate failed. Aborting.
Failed to obtain WebVPN cookie




pkcs11-tool --module /usr/lib/libeToken.so  --list-token-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
     token label        : xxxx
     token manufacturer : Gemalto
     token model        : ID Prime MD
     token flags        : login required, rng, token initialized, PIN 
initialized, other flags=0x200
     hardware version   : 0.0
     firmware version   : 0.0
     serial num         : xxxx39
     pin min/max        : 4/16
Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
     token label        : GSTEST01
     token manufacturer : SafeNet, Inc.
     token model        : eToken
     token flags        : login required, rng, token initialized, PIN 
initialized, other flags=0x200
     hardware version   : 0.0
     firmware version   : 0.0
     serial num         : xx
     pin min/max        : 8/20


pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 0
Using slot with ID 0x0
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
     seems to be OK
Digests:
     all 4 digest functions seem to work
     SHA-1: OK
Signatures (currently only for RSA)
     testing key 0 ()
     ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.


pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 1
Using slot with ID 0x1
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
     seems to be OK
Digests:
     all 4 digest functions seem to work
     SHA-1: OK
Signatures (currently only for RSA)
     testing key 0 (No Friendly Name Available)
     ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
     testing signature mechanisms:
       RSA-PKCS: OK
       SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
     testing key 0 (No Friendly Name Available)
       RSA-PKCS: OK
Decryption (currently only for RSA)
     testing key 0 (No Friendly Name Available)
    -- mechanism can't be used to decrypt, skipping
    -- mechanism can't be used to decrypt, skipping
    -- mechanism can't be used to decrypt, skipping
    -- mechanism can't be used to decrypt, skipping
    -- mechanism can't be used to decrypt, skipping
    -- mechanism can't be used to decrypt, skipping
       RSA-PKCS: OK
       RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, 
source_ptr=(nil), source_len=0
OK
1 errors


Any ideas?

Thank you in advance,
Pavel
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel


_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect supporting SafeNet eToken 5300

Reply via email to