David Woodhouse dwmw2 at
Wed Feb 24 12:38:53 UTC 2016

On Thu, 2015-10-01 at 15:55 +0000, Edwards, Kristofer wrote:
> I am running into an issue if libp11-kit0 is above version 0.20.7-1
> openconnect will no longer allow juniper connections.  It will go
> through the entire process and show that it established the
> connection
> but the resources are not available. 
> it shows the response of 
> Connected to HTTPS on
> SSL negotiation with
> Connected to HTTPS on
> Connected tun0 as x.x.x.x, using SSL 
> ESP session established with server
> drop to command line attempt connection to my workstation and it will
> not resolve nor ping.
> Rollback the libp11-kit0 version to 0.20.7-1 and everything is
> working as normal.

That's bizarre, especially if you aren't even *using* PKCS#11

Does the problem go away if you rebuild GnuTLS and/or OpenConnect
against the newer p11-kit? What version did you upgrade to?

I note that libp11-kit didn't bump its soname between the 0.20.7
release and later releases, and if there *was* an incompatible change
then it probably should have. But I'm still confused as to how an ABI
incompatibility in libp11-kit would lead to the symptoms you describe.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list