Hi Dimitri, Sorry for the late response, I had no access to my system to try the new installation.
Finally, I have installed 9.00: openconnect -V OpenConnect version v9.00 Using OpenSSL 1.1.1n 15 Mar 2022. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, HOTP software token, TOTP software token, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script Unfortunately, I am not able to connect, the following error appears when I try to use a SmartCard or USB Token: Failed to enumerate PKCS#11 slots 140593529243456:error:81071054:PKCS#11 module:pkcs11_init_slot:Function not supported:p11_slot.c:428: Loading certificate failed. Aborting. Failed to complete authentication Both SmartCard and USB Token are connected and available: # pkcs11-tool --module /usr/lib/libeTokenHID.so -L Available slots: Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00 token label : xxxx token manufacturer : Gemalto token model : ID Prime MD token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 09E8xxxxx3E3xxx9 pin min/max : 4/16 Slot 1 (0x1): ACS ACR39U ICC Reader 01 00 token label : xxxxxx token manufacturer : SafeNet, Inc. token model : eToken token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 02xxxxeb42 pin min/max : 8/20 Slot 2 (0x2): (empty) Slot 3 (0x3): (empty) Slot 4 (0x4): (empty) Slot 5 (0x5): (empty) Slot 6 (0x6): (empty) Slot 7 (0x7): (empty) I am attaching the ldd output for the reference: ldd /usr/local/sbin/openconnect linux-vdso.so.1 (0x00007fffc95db000) libopenconnect.so.5 => /usr/local/lib/libopenconnect.so.5 (0x00007fdb79531000) libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fdb79383000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdb791be000) libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fdb7912b000) libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fdb78e37000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fdb78e1a000) libp11.so.3 => /lib/x86_64-linux-gnu/libp11.so.3 (0x00007fdb78e07000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fdb78cc3000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdb78cbd000) libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007fdb78ad4000) liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fdb78aac000) /lib64/ld-linux-x86-64.so.2 (0x00007fdb795ca000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fdb78a8a000) libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007fdb76f6f000) libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fdb76da2000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fdb76d88000) Thank you, Pavel From: Dimitri Papadopoulos <dimitri.papadopou...@cea.fr> Sent: Thursday, June 23, 2022 7:06 PM To: Pavel Gavronsky <kamm...@hotmail.com>; openconnect-devel@lists.infradead.org <openconnect-devel@lists.infradead.org> Subject: Re: Openconnect supporting SafeNet eToken 5300 Hi Pavel, How did you try to build OpenConnect 9.01? These instructions should work on any Linux distribution: [download source code, unpack in a folder, enter that folder] ./configure make provided these requirements are met: https://www.infradead.org/openconnect/building.html The error message you show us might be caused by a previous error that we do not see. A full build log would help (add it to issue https://gitlab.com/openconnect/openconnect/-/issues/242). Also which Linux distribution are you building on? Dimitri Le 23/06/2022 à 15:27, Pavel Gavronsky a écrit : > Hi Dmitri, > > Thank you for the reply. > > I tried to install the latest openconnect version, however when "make" the > build the following error appeared: > > make[1]: *** No rule to make target '../libopenconnect.la', needed by > 'serverhash'. Stop. > make[1]: Leaving directory '/tmp/openconnect-9.01/tests' > make: *** [Makefile:1749: check-recursive] Error 1 > > > I will try to install other releases which are newer than I have currently. > > Regards, > Pavel > > From: Dimitri Papadopoulos <dimitri.papadopou...@cea.fr> > Sent: Tuesday, June 21, 2022 6:41 PM > To: Pavel Gavronsky <kamm...@hotmail.com>; > openconnect-devel@lists.infradead.org <openconnect-devel@lists.infradead.org> > Subject: Re: Openconnect supporting SafeNet eToken 5300 > > Hi, > > Is this issue identical to that one filed a year ago? > > https://gitlab.com/openconnect/openconnect/-/issues/242 > > Have you tried a newer version of OpenConnect as suggested in this issue? > > Best Regards, > Dimitri > > Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit : >> Hello, >> >> I am using Openconnect with PULSE appliance where the authentication is done >> by SmartCard (ACS ACR39U ICC Reader). The connection is established without >> any issue. >> When trying to use SafeNet USB eToken 5300 - there is an error "Loading >> certificate failed. Aborting. Failed to obtain WebVPN cookie". >> >> $ uname -a >> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 >> GNU/Linux >> >> Debugging info (GNUTLS_DEBUG_LEVEL=9): >> >> /usr/sbin/openconnect -V >> OpenConnect version v8.10-2+b1 >> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, >> HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, >> ESP >> Supported protocols: anyconnect (default), nc, gp, pulse >> >> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert >> "pin-sha256:xxxxcXCTMPxxx" -c >> 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' >> -vvv >> gnutls[2]: Enabled GnuTLS 3.7.1 logging... >> gnutls[2]: getrandom random generator was detected >> gnutls[2]: Intel SSSE3 was detected >> gnutls[2]: Intel AES accelerator was detected >> gnutls[2]: Intel GCM accelerator was detected >> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 >> Attempting to connect to server x.x.x.x:443 >> Connected to x.x.x.x:443 >> Using PKCS#11 certificate >> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert >> gnutls[2]: Initializing all PKCS #11 modules >> gnutls[2]: p11: Initializing module: p11-kit-trust >> gnutls[2]: p11: Initializing module: opensc >> gnutls[2]: p11: Initializing module: opensc-pkcs11 >> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896 >> gnutls[2]: p11: No login requested. >> Trying PKCS#11 key URL >> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private >> PIN required for xxx >> Enter PIN: >> gnutls[2]: p11: Login result = ok (0) >> gnutls[3]: ASSERT: >> ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 >> gnutls[2]: p11: No login requested. >> Trying PKCS#11 key URL >> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private >> gnutls[2]: p11: Login result = ok (0) >> gnutls[3]: ASSERT: >> ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 >> Trying PKCS#11 key URL >> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private >> gnutls[2]: p11: Login result = ok (0) >> gnutls[3]: ASSERT: >> ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 >> Error importing PKCS#11 URL >> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: >> The requested data were not available. >> Loading certificate failed. Aborting. >> Failed to obtain WebVPN cookie >> >> >> >> >> pkcs11-tool --module /usr/lib/libeToken.so --list-token-slots >> Available slots: >> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00 >> token label : xxxx >> token manufacturer : Gemalto >> token model : ID Prime MD >> token flags : login required, rng, token initialized, PIN >>initialized, other flags=0x200 >> hardware version : 0.0 >> firmware version : 0.0 >> serial num : xxxx39 >> pin min/max : 4/16 >> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00 >> token label : GSTEST01 >> token manufacturer : SafeNet, Inc. >> token model : eToken >> token flags : login required, rng, token initialized, PIN >>initialized, other flags=0x200 >> hardware version : 0.0 >> firmware version : 0.0 >> serial num : xx >> pin min/max : 8/20 >> >> >> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 0 >> Using slot with ID 0x0 >> Logging in to "xxxx". >> Please enter User PIN: >> C_SeedRandom() and C_GenerateRandom(): >> seems to be OK >> Digests: >> all 4 digest functions seem to work >> SHA-1: OK >> Signatures (currently only for RSA) >> testing key 0 () >> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) >> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6) >> Aborting. >> >> >> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 1 >> Using slot with ID 0x1 >> Logging in to "xxxx". >> Please enter User PIN: >> C_SeedRandom() and C_GenerateRandom(): >> seems to be OK >> Digests: >> all 4 digest functions seem to work >> SHA-1: OK >> Signatures (currently only for RSA) >> testing key 0 (No Friendly Name Available) >> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) >> testing signature mechanisms: >> RSA-PKCS: OK >> SHA256-RSA-PKCS: OK >> Verify (currently only for RSA) >> testing key 0 (No Friendly Name Available) >> RSA-PKCS: OK >> Decryption (currently only for RSA) >> testing key 0 (No Friendly Name Available) >> -- mechanism can't be used to decrypt, skipping >> -- mechanism can't be used to decrypt, skipping >> -- mechanism can't be used to decrypt, skipping >> -- mechanism can't be used to decrypt, skipping >> -- mechanism can't be used to decrypt, skipping >> -- mechanism can't be used to decrypt, skipping >> RSA-PKCS: OK >> RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256 >> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, >> source_ptr=(nil), source_len=0 >> OK >> 1 errors >> >> >> Any ideas? >> >> Thank you in advance, >> Pavel >> _______________________________________________ >> openconnect-devel mailing list >> openconnect-devel@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
