Skip to content

OpenConnect doesn't log into token that fails to set CKF_LOGIN_REQUIRED

I have Ocserv VPN server with pam + certificate authentication. Its works flawlessly with openconnect-gui and cisco anyconnect clients from Windows PCs. Certs and keys issued by Windows PKI and stored in Windows PCs internal storage or smart cards (JaCarta Aladdin Token)

Now Im trying to configure openconnect to access same VPN server from Ubuntu 19.10 workstation with same JaCarta token. Manual https://www.infradead.org/openconnect/pkcs11.html

openconnect  --authenticate  -c 'pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;object=cd8119f12b53ae60;type=cert' -k 'pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;type=private'    -v   vpn4.xxx.yy
POST https://vpn4.xxx.yy/
Attempting to connect to server 10.36.102.129:443
Connected to 10.36.102.129:443
Using PKCS#11 certificate pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;object=cd8119f12b53ae60;type=cert
Error importing PKCS#11 URL pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;type=private: The requested data were not available.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to vpn4.xxx.yy
Failed to obtain WebVPN cookie

Openconnect wont ask for PIN with full pkcs11 URLs to cert and key. I also have tried to cut pkcs11 URLs , but without luck.

Another strange thing :

p11tool freeze with "Please insert token 'val' in slot and press enter" when I ran it to show private certs (with token inserted)

p11tool --list-privkeys --login   pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
Token 'val' with URL 'pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00' requires user PIN
Enter PIN: 
Object 0:
	URL: pkcs11:model=PRO;manufacturer=Aladdin%20R.D.;serial=CC62FB25;token=val%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;id=%33%32%31%30%33%61%36%37%36%65%32%34%35%62%32%31;type=private
Please insert token 'val' in slot and press enter
<< p11tool freeze there
<< I pressed enter (token was connected)
Please insert token 'val' in slot and press enter
<< then I disconnected token and pressed enter again
  
	Type: Private key
	Label: 
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; 
	ID: 33:32:31:30:33:61:36:37:36:65:32:34:35:62:32:31

Looks like there is some issue with my configuration of openconnect or possibly underlying Linux pkcs11 infrastructure ( gnutls ,opensc , JaCarta module libjcPKCS11-2.so).

Edited by David Woodhouse
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information