Dimitri thank you,
Probably you are right regarding the building/installing from RPM, I do not
remember now.
As for the problem itself - the openconnect is working good using a SmartCard
certificate, but failed to use USB Token with the same certificate.
These are ldd's output, you are right, there is a difference in modules:
v8.10:
ldd /usr/sbin/openconnect
linux-vdso.so.1 (0x00007ffe1219f000)
libopenconnect.so.5 => /lib/x86_64-linux-gnu/libopenconnect.so.5
(0x00007fbb6cd9a000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007fbb6cb9a000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fbb6c9ec000)
libproxy.so.1 => /lib/x86_64-linux-gnu/libproxy.so.1
(0x00007fbb6c9c7000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fbb6c9a5000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbb6c7e0000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6
(0x00007fbb6c7c8000)
libtss2-esys.so.0 => /lib/x86_64-linux-gnu/libtss2-esys.so.0
(0x00007fbb6c736000)
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
(0x00007fbb6c6ea000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbb6c6cd000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007fbb6c599000)
libstoken.so.1 => /lib/x86_64-linux-gnu/libstoken.so.1
(0x00007fbb6c38b000)
libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007fbb6c336000)
libpcsclite.so.1 => /lib/x86_64-linux-gnu/libpcsclite.so.1
(0x00007fbb6c328000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fbb6c305000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007fbb6c2e4000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2
(0x00007fbb6c162000)
libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8
(0x00007fbb6c11a000)
libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6
(0x00007fbb6c0cf000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fbb6c04e000)
/lib64/ld-linux-x86-64.so.2 (0x00007fbb6ce1a000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbb6c048000)
libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67
(0x00007fbb6be5f000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fbb6be37000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fbb6bcf3000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007fbb6bb24000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x00007fbb6bb0a000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007fbb6b816000)
libtss2-sys.so.1 => /lib/x86_64-linux-gnu/libtss2-sys.so.1
(0x00007fbb6b7f2000)
libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007fbb6b7e6000)
libtomcrypt.so.1 => /lib/x86_64-linux-gnu/libtomcrypt.so.1
(0x00007fbb6b702000)
libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fbb6b628000)
libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007fbb6b5f8000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007fbb6b5f2000)
libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007fbb6b5e3000)
libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67
(0x00007fbb69ac8000)
libtommath.so.1 => /lib/x86_64-linux-gnu/libtommath.so.1
(0x00007fbb69aa8000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007fbb69aa1000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007fbb69a87000)
v9.00:
ldd /usr/local/sbin/openconnect
linux-vdso.so.1 (0x00007ffeb82e0000)
libopenconnect.so.5 => /usr/local/lib/libopenconnect.so.5
(0x00007f9c7241b000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007f9c7221b000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f9c7206d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9c71ea8000)
libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6
(0x00007f9c71e5f000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f9c71dde000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f9c71dbf000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f9c71c8b000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f9c71b47000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f9c71b26000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f9c719a4000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6
(0x00007f9c7198e000)
libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8
(0x00007f9c71944000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f9c71922000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9c724b4000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9c7191c000)
libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67
(0x00007f9c71733000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f9c7170b000)
libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007f9c716fd000)
libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67
(0x00007f9c6fbe4000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007f9c6fa17000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x00007f9c6f9fd000)
Regards,
Pavel
From: Dimitri Papadopoulos Orfanos <dimitri.papadopou...@cea.fr>
Sent: Wednesday, June 29, 2022 2:31 PM
To: Pavel Gavronsky <kamm...@hotmail.com>
Cc: openconnect-devel@lists.infradead.org
<openconnect-devel@lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300
Had you really *compiled* 8.10 on this machine? Without gnutls-dev, I
don't see how you could have built OpenConnect based on GnuTLS. Had you
perhaps installed a DEB package instead?
Any way, as you can see, the error originates in the p11 library.
Perhaps 8.10 and 9.00 use a different p11 library, so compare the output
of "ldd" for both versions. But most probably, as pointed out by Nikos,
that's probably an issue with the a broken proprietary PKCS#11 token.
See this thread for example:
https://lists.infradead.org/pipermail/openconnect-devel/2016-February/003470.html
Also I have lost track of the initial issue. Am I correct that both 8.10
and 9.00 fail to connect using the SafeNet USB eToken 5300? Do they just
fail differently?
Finally please note that the latest release of OpenConnect is 9.01. Not
that I believe that 9.01 might fix anything, but it is definitely better
to build the latest available release.
Dimitri
Le 29/06/2022 à 11:51, Pavel Gavronsky a écrit :
> Dimitry, many thanks,
>
> gnutls-dev was missing. It's strange, because I compiled the previous v8.10
> build on this machine.
>
> Now I can compare the debug logs.
>
> With GnuTLS it looks better in v.9.00, at least there is a step of asking the
> Token PIN. But it failed. May I ask you to look...
>
> Old v.8.10 LOGs:
>
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL
> pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxeb42;token=GSTEST01;id=%B6%XXXXXXXX%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
> (p11-kit:7409) sys_C_GetSlotList: in
> (p11-kit:7409) sys_C_GetSlotList: out: 0x0
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> PIN required for GSTEST01
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> (p11-kit:7409) sys_C_GetSlotList: in
> (p11-kit:7409) sys_C_GetSlotList: out: 0x0
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> Using PKCS#11 key
> pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxx42;token=GSTEST01;id=%B6%A2%74%B2xxxxxxxxxx%D6%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
> Using client certificate 'xxxx xxx\ '
> (p11-kit:7409) sys_C_GetSlotList: in
>
>
> New v9.00 LOGs:
>
> (p11-kit:8449) sys_C_GetTokenInfo: in
> (p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
> gnutls[2]: p11: No login requested.
> gnutls[2]: p11: Skipped object, missing attrs.
> <------------------------------------------------- looks like some kind of
> ERROR
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
> (p11-kit:8449) sys_C_GetSlotList: in
> (p11-kit:8449) sys_C_GetSlotList: out: 0x0
> (p11-kit:8449) sys_C_GetTokenInfo: in
> (p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
> PIN required for xxx
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> gnutls[2]: p11: Skipped object, missing attrs.
> <------------------------------------------------- looks like some kind of
> ERROR
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
> Error loading certificate from PKCS#11: The requested data were not available.
> Loading certificate failed. Aborting.
> Failed to complete authentication
> (p11-kit:8449) uninit_common: uninitializing library
> (p11-kit:8449) uninit_common: uninitializing library
>
>
>
> Regards,
> Pavel
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
