openconnect: PKCS#11 support broken with GnuTLS 2.12.x

Status changed to 'Confirmed' because the bug affects multiple users.

Clean install of Ubuntu 14.04. I use openconnect to connect to a government VPN using the certificates on my ID (CAC). This is the error I get:

POST https://vpn.gateway/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Using client certificate 'MY CERTIFICATE'
Setting certificate failed: Internal error in memory allocation.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to vpn.gateway
GET https://vpn.gateway/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Using client certificate 'MY CERTIFICATE'
Setting certificate failed: Internal error in memory allocation.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to vpn.gateway

Booted to a Ubuntu 13.10 Live USB and it works fine. Current workaround is to manually install and version lock the openconnect & libopenconnect2 version 5.01-1 from the saucy repositories.

https://launchpad.net/ubuntu/+source/openconnect

Ken, you are right. This is exactly what happens without the patch from http://git.infradead.org/users/dwmw2/openconnect.git/patch/43e514b4f53c147936a7379e8e6fc67f78cae2fb .
I can confirm that downgrading and pinning openconnect and libopenconnect2 to version 5.01-1 is working, but that is IMHO just a work-around option.

This bug was fixed in the package openconnect - 6.00-1

---------------
openconnect (6.00-1) unstable; urgency=medium

  * New upstream release, upload to unstable.
    - Fix regression breaking PKCS#11 token support. (Closes: #744214,
      LP: #1308054)
  * doc-remove-footer.patch: Remove, applied upstream.
  * Update libopenconnect3 shlibs and symbols files.

 -- Mike Miller <email address hidden> Tue, 08 Jul 2014 22:33:31 -0400

Mike, I can confirm that this bug is fixed in version 6.00 which is wonderful. Yet this still does not fix release 5.02-1 in Ubuntu 14.04LTS. Unfortunately, manually backporting and installing openconnect release 6.00-1 is not a solution since network-manager-openconnect-gnome depends on libopenconnect2. So could you please cherry-pick the patch from http://git.infradead.org/users/dwmw2/openconnect.git/patch/43e514b4f53c147936a7379e8e6fc67f78cae2fb for libopenconnect2 in Ubuntu 14.04LTS.

Thanks Thomas, I remember that this does need to be fixed in 14.04 as well. I don't have the permissions to mark this bug as affecting a specific release, but I did tag it "trusty". I do plan on proposing an SRU for 14.04 now that this is fixed in the development release (or anyone else is welcome to as well).