Opened 7 years ago
Last modified 7 years ago
#744 new Bug / Defect
Automatic restarting the VPN connection fails, if smartcard authentication is used
Reported by: | Bjoern Voigt | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.12 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | smartcard, certificate, PIV, Yubikey, OpenSC |
Cc: | David Sommerseth, Steffan Karger |
Description
When OpenVPN is configured with client SSL certificates on smartcards, only the initial smartcard authentication works.
After some time the server gets an "inactivity timeout" and forces the client to reconnect:
Thu Sep 29 18:09:44 2016 voigtmail/6.7.8.9:60430 [myusername] Inactivity timeout (--ping-restart), restarting Thu Sep 29 18:53:58 2016 5.6.7.8:60430 TLS: Initial packet from [AF_INET]5.6.7.8:60430, sid=b23ecb44 b7950179
With the management interface, the user enters the correct PIN for the smartcard again:
>HOLD:Waiting for hold release hold release SUCCESS: hold release succeeded >PASSWORD:Need 'PIV_II (PIV Card Holder pin) token' password password 'PIV_II (PIV Card Holder pin) token' 123456 SUCCESS: 'PIV_II (PIV Card Holder pin) token' password entered, but not yet verified >HOLD:Waiting for hold release
But the OpenVPN client is unable to get the smartcard certificate a second time. The OpenVPN client log:
Thu Sep 29 20:49:11 2016 MANAGEMENT: CMD 'hold release' Thu Sep 29 20:49:11 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Sep 29 20:49:11 2016 UDPv4 link local: [undef] Thu Sep 29 20:49:11 2016 UDPv4 link remote: [AF_INET]100.1.2.3:1194 Thu Sep 29 20:49:11 2016 TLS: Initial packet from [AF_INET]176.28.8.208:1194, sid=fe884eab 3d62abcb Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=My CA Thu Sep 29 20:49:11 2016 VERIFY OK: depth=1, CN=My CA Thu Sep 29 20:49:11 2016 Validating certificate key usage Thu Sep 29 20:49:11 2016 ++ Certificate has key usage 00a0, expects 00a0 Thu Sep 29 20:49:11 2016 VERIFY KU OK Thu Sep 29 20:49:11 2016 Validating certificate extended key usage Thu Sep 29 20:49:11 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Sep 29 20:49:11 2016 VERIFY EKU OK Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=www.my-domain.com Thu Sep 29 20:49:11 2016 VERIFY OK: depth=0, CN=www.my-domain.com Thu Sep 29 20:49:17 2016 MANAGEMENT: CMD 'password [...]' Thu Sep 29 20:49:17 2016 PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR' Thu Sep 29 20:49:17 2016 OpenSSL: error:14099006:SSL routines:ssl3_send_client_verify:EVP lib Thu Sep 29 20:49:17 2016 TLS_ERROR: BIO read tls_read_plaintext error Thu Sep 29 20:49:17 2016 TLS Error: TLS object -> incoming plaintext read error Thu Sep 29 20:49:17 2016 TLS Error: TLS handshake failed Thu Sep 29 20:49:17 2016 SIGUSR1[soft,tls-error] received, process restarting
The first error "PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'" was already discussed in the OpenSC mailing list, unfortunately without results:
The OpenVPN server shows this in the logs:
Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS handshake failed Thu Sep 29 18:54:58 2016 5.6.7.8:60430 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:47:11 2016 5.6.7.8:56393 TLS: Initial packet from [AF_INET]5.6.7.8:56393, sid=39e1ac75 5fb99acd Thu Sep 29 20:47:51 2016 5.6.7.8:43099 TLS: Initial packet from [AF_INET]5.6.7.8:43099, sid=38c31726 86110326 Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS handshake failed Thu Sep 29 20:48:11 2016 5.6.7.8:56393 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS handshake failed Thu Sep 29 20:48:51 2016 5.6.7.8:43099 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:49:11 2016 5.6.7.8:38836 TLS: Initial packet from [AF_INET]5.6.7.8:38836, sid=246bffc5 ed13edad Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS handshake failed Thu Sep 29 20:50:11 2016 5.6.7.8:38836 SIGUSR1[soft,tls-error] received, client-instance restarting
The failure can be resolved with restarting the OpenVPN client. Of course, also the smartcard certificates can be replaced with software certificates.
My setup:
- OpenVPN 2.3.12
- OpenVPN Server: Ubuntu 14.04, IP 100.1.2.3 (changed)
- OpenVPN Client: openSUSE Tumbleweed 20160926, IP 5.6.7.8 (changed)
- OpenSC 0.16
- PKCS11 Helper 1.11
- Authentication with 2048 Bit EasyRSA certificates (both client and server; server: software certificate; client: certificate on the Yubikey 4)
- Smartcard: Yubikey 4 in PIV mode
Change History (2)
comment:1 Changed 7 years ago by
Cc: | David Sommerseth Steffan Karger added |
---|
comment:2 Changed 7 years ago by
The timeout itself could be avoided with the setting "reneg-sec 0". With a stable network the described error becomes unlikely.
copying in dazo, syzzer "this is linux, yubikey, maybe one of you has an idea"