Had you really *compiled* 8.10 on this machine? Without gnutls-dev, I
don't see how you could have built OpenConnect based on GnuTLS. Had you
perhaps installed a DEB package instead?
Any way, as you can see, the error originates in the p11 library.
Perhaps 8.10 and 9.00 use a different p11 library, so compare the output
of "ldd" for both versions. But most probably, as pointed out by Nikos,
that's probably an issue with the a broken proprietary PKCS#11 token.
See this thread for example:
https://lists.infradead.org/pipermail/openconnect-devel/2016-February/003470.html
Also I have lost track of the initial issue. Am I correct that both 8.10
and 9.00 fail to connect using the SafeNet USB eToken 5300? Do they just
fail differently?
Finally please note that the latest release of OpenConnect is 9.01. Not
that I believe that 9.01 might fix anything, but it is definitely better
to build the latest available release.
Dimitri
Le 29/06/2022 à 11:51, Pavel Gavronsky a écrit :
Dimitry, many thanks,
gnutls-dev was missing. It's strange, because I compiled the previous v8.10
build on this machine.
Now I can compare the debug logs.
With GnuTLS it looks better in v.9.00, at least there is a step of asking the
Token PIN. But it failed. May I ask you to look...
Old v.8.10 LOGs:
(p11-kit:7409) sys_C_GetTokenInfo: in
(p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL
pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxeb42;token=GSTEST01;id=%B6%XXXXXXXX%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
(p11-kit:7409) sys_C_GetSlotList: in
(p11-kit:7409) sys_C_GetSlotList: out: 0x0
(p11-kit:7409) sys_C_GetTokenInfo: in
(p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
PIN required for GSTEST01
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
(p11-kit:7409) sys_C_GetSlotList: in
(p11-kit:7409) sys_C_GetSlotList: out: 0x0
(p11-kit:7409) sys_C_GetTokenInfo: in
(p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
Using PKCS#11 key
pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxx42;token=GSTEST01;id=%B6%A2%74%B2xxxxxxxxxx%D6%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
Using client certificate 'xxxx xxx\ '
(p11-kit:7409) sys_C_GetSlotList: in
New v9.00 LOGs:
(p11-kit:8449) sys_C_GetTokenInfo: in
(p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
gnutls[2]: p11: No login requested.
gnutls[2]: p11: Skipped object, missing attrs.
<------------------------------------------------- looks like some kind of ERROR
gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
(p11-kit:8449) sys_C_GetSlotList: in
(p11-kit:8449) sys_C_GetSlotList: out: 0x0
(p11-kit:8449) sys_C_GetTokenInfo: in
(p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
PIN required for xxx
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
gnutls[2]: p11: Skipped object, missing attrs.
<------------------------------------------------- looks like some kind of ERROR
gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
Error loading certificate from PKCS#11: The requested data were not available.
Loading certificate failed. Aborting.
Failed to complete authentication
(p11-kit:8449) uninit_common: uninitializing library
(p11-kit:8449) uninit_common: uninitializing library
Regards,
Pavel
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
