Re: Difficulties with network-manager-openconnect

From: Dan Williams <dcbw redhat com>
To: Michael Welsh Duggan <mwd md5i com>, networkmanager-list gnome org
Subject: Re: Difficulties with network-manager-openconnect
Date: Tue, 05 Apr 2016 12:33:06 -0500

On Tue, 2016-04-05 at 10:55 -0400, Michael Welsh Duggan wrote:

Thomas Haller <thaller redhat com> writes:


On Mon, 2016-04-04 at 22:09 -0400, Michael Welsh Duggan wrote:


I'm having some difficulties using network-manager-openconnect.

If I use openconnect directly:

  openconnect -c cert.pfx --authgroup=[GROUP] --no-xmlpost
[SERVER]

everything works just fine.

When I use network-manager I get the following:

  Server requested SSL client certificate after one was provided
  Certificate Validation Failure

This used to work (many months ago).  I don't know whether an
update
of
nm was why things changed, or if it was a change of the VPN
server at
work.

I am using network-manager and network-manager-openconnect from
Debian
unstable: 

  network-manager 0.9.10.0-1 
  network-manager-openconnect 0.9.8.6-1

I'm happy to provide more debugging information if someone would
tell
me
what to provide.


When nm-openconnect starts openconnect binary, it runs as a
different
user. Make sure that that user is able to access the certificate.

And what user might that be?  NetworkManager and nm-dispatcher are
running as root, as is nm-openconnect-service.  Also, if it could not
access the certificates, I would expect a different type of error.


nm-openconnect runs as root, but it spawns the actual openconnect
process as the 'nm-openconnect' user for security.  That user must be
able to access your certificates.

Unfortunately libraries like OpenSSL/GnuTLS don't have great verbose
error reporting, and the "Certificate Validation Failure" message comes
from there, most likely (since it's not part of nm-openconnect source).
 They don't report it to nm-openconnect, so nm-openconnect doesn't have
a great way to get it back to you, the user.

Dan


For example, if you have SELinux enabled, it needs proper labels.
Usually that means, the certificate should be in ~user/.certs
directory. Try with SELinux permissive mode or search for audit
warnings.

I do not have SELinux enabled.

Follow-Ups:
- Re: Difficulties with network-manager-openconnect
  - From: Michael Welsh Duggan

References:
- Difficulties with network-manager-openconnect
  - From: Michael Welsh Duggan
- Re: Difficulties with network-manager-openconnect
  - From: Thomas Haller
- Re: Difficulties with network-manager-openconnect
  - From: Michael Welsh Duggan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]