That CA cert and user cert should be added system-wide. You shouldn't have to specify them with curl. https://wiki.archlinux.org/index.php/Transport_Layer_Security
Search Criteria
Package Details: f5vpn 7246.2024.0201.1-2
Package Actions
| Git Clone URL: | https://aur.archlinux.org/f5vpn.git (read-only, click to copy) |
|---|---|
| Package Base: | f5vpn |
| Description: | VPN client using the Point-to-Point Protocol to connect to F5Networks BIG-IP APM |
| Upstream URL: | https://support.f5.com/csp/article/K32311645#link_04_05 |
| Licenses: | Commercial |
| Provides: | f5vpn |
| Submitter: | zrhoffman |
| Maintainer: | zrhoffman |
| Last Packager: | zrhoffman |
| Votes: | 10 |
| Popularity: | 0.002016 |
| First Submitted: | 2019-12-27 08:37 (UTC) |
| Last Updated: | 2024-04-10 11:04 (UTC) |
Dependencies (4)
- icu (icu-gitAUR)
- openssl (openssl-gitAUR, openssl-staticAUR)
- qt5-base (qt5-base-gitAUR, qt5-base-headlessAUR)
- qt5-webkitAUR (qt5-webkit-gitAUR, qt5-webkit-movableink-gitAUR)
Required by (0)
Sources (3)
zrhoffman commented on 2020-03-16 16:51 (UTC)
<deleted-account> commented on 2020-03-16 14:18 (UTC)
Hello,
Yeah i just recently found the log folder. :-)
I think it is because we use a PKCS#12 certificate per user. I manually imported this into my browser to acces the webpage, but I have no idea how to tackle this for your application
Here are the logs that confirm it:
2020-03-16,14:38:20:725, 26853,26853,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://CLASSIFIED:6155/pre/config.php?version=2.0
2020-03-16,14:38:20:725, 26853,26853,, 48, /SessionManager.cpp, 204, bool f5::qt::SessionManager::CreateAndLaunchSessionInternal(const QUrl&), ----Session dfb50d2e starts----
2020-03-16,14:38:20:760, 26853,26853,, 1, /HttpNetworkManager.cpp, 120, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occurred while processing request (6)
2020-03-16,14:38:20:761, 26853,26853,, 1, /HttpNetworkManager.cpp, 263, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed
Now, If I use my ps12 certstuff manually;
curl -v -k --key rasdist007key.pem --cacert rasdist007ca.pem --cert rasdist007client.pem https://CLASSIFIED:6155/pre/config.php?version
* Trying CLASSIFIED:6155...
* Connected to CLASSIFIED port 6155 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: rasdist007ca.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject:CLASSIFIED
* start date: Apr 15 00:00:00 2019 GMT
* expire date: Apr 19 12:00:00 2021 GMT
* issuer: CLASSIFIED
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /pre/config.php?version HTTP/1.1
> Host: CLASSIFIED:6155
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Connection: Close
< Content-length: 429
<
<?xml version="1.0" encoding="utf-8"?>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
<PROFILE VERSION="2.0"><SERVER....
Dont mind the CLASSIFIED, its to hide the sensitive information of our servers. But that curl works. I can see my profile.
My SSL knowledge/experience is too low how to make your tool use my personal certificate. I think this is the problem. What do you think?
zrhoffman commented on 2020-03-16 13:46 (UTC)
You might get some info on what is failing from the logs inside ~/.F5Networks/.
One possibility is that the RPM version the AUR package uses is too old or too new for your server. You could try rebuilding the package using an RPM downloaded directly from https://[server]/public/download/linux_f5vpn.x86_64.rpm.
<deleted-account> commented on 2020-03-16 12:32 (UTC)
Update: followed your instructions on https://github.com/zrhoffman/f5vpn-arch/.
I did get a valid f5-vpn:// url, after making the browser import all the needed certificates. I gave it to the f5vpn as instructed, got a trust popup, but then it showed nothing and it appears to stop.
Ill keep searching.
<deleted-account> commented on 2020-03-16 11:57 (UTC)
Im opening f5vpn and nothing happens, I can't even seem to trace the problem. I can see it running for a while and then it just gives up.
Any idea what Im missing here? I'd love to see this program work!
Pinned Comments
zrhoffman commented on 2023-07-24 22:01 (UTC) (edited on 2023-08-15 14:27 (UTC) by zrhoffman)
If you get an error that looks like
that means that your version of qt5-webkit is out-of-date with your icu version, and rebuilding/installing qt5-webkit` will fix your issue.
Since qt5-webkit takes a long time to build, see this comment from the maintainer of the qt5-webkit AUR package to download a build of that dependency.