Opened 2 years ago

Last modified 13 months ago

#1215 new Bug / Defect

No PIN prompt for PKCS#11

Reported by: jans Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: PKCS#11, smart card


I’m trying to use OpenVPN client with my client key stored on a Nitrokey Start (think of it as a smart card) and accessed via PKCS#11. In general it works but entering the PIN is an issue. On Linux (Ubuntu 18.04, SUSE Tumbleweed) as well as on Windows when starting OpenVPN client it waits for the PIN to be provided but doesn’t prompt the user to enter the PIN. Instead I have to open a separate terminal, telnet into the OpenVPN client and enter the PIN (tried on Linux). This is horrible user experience and I don’t think it’s the desired work flow. From what I read OpenVPN expects systemd to provide the PIN through systemd-ask-pass but systemd doesn’t prompt to enter a PIN. My impression is that systemd-ask-pass’s primarily focus is prompting for passwords during boot-time but not during run-time. Therefore I’m wondering if using systemd-ask-pass during run-time is a good idea. Since I face the same issue on Windows (where no systemd is installed, obviously) here the cause must be something else.

Looking at solving this issue I’m wondering:

a) An option for OpenVPN to enforce password prompt even when systemd exists, wouldn’t that make sense? (I couldn’t find such) In any case this is more a workaround instead of a proper solution.

b) What would be the systematic solution to that issue? Since this issue happens on Windows too, I don’t believe pushing this issue down to systemd would be the right approach.

Change History (5)

comment:1 Changed 2 years ago by jans

It seems that this is a duplicate of #538 for the systemd-part and a duplicate of #740 for the Windows-part. Sorry for that.

Last edited 2 years ago by jans (previous) (diff)

comment:2 Changed 2 years ago by Selva Nair

You have two unrelated issues:
First, you seems to have --management-query-passwords in the client config which directs openvpn to prompt for passwords and PIN from the management interface. If you want the PIN to be prompted from the command line, remove that option. That will work the way you expect on Windows and when not using systemd on Linux.

Second, systemd-pkcs11 interaction is currently "broken" as you noticed from #538. This is very likely fixed by a recent commit (will be available in the next release: 2.4.8) -- see

#740 is irrelevant unless you are using OpenVPN-GUI on Windows. If you are, the GUI should prompt for the PIN.

Version 0, edited 2 years ago by Selva Nair (next)

comment:3 Changed 23 months ago by Gert Döring

so, 2.4.8 is out - @jans: is this still happening?

comment:4 Changed 16 months ago by nfournil

In 2.4.8 from PPA there's PIN code, GREAT !

BUT the signature fails with stock OpenSC (0.14) :

{{{ Enter UserPIN () token Password:
Thu May 28 09:47:37 2020 us=174506 PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'
Thu May 28 09:47:37 2020 us=174617 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu May 28 09:47:37 2020 us=174632 TLS_ERROR: BIO read tls_read_plaintext error
Thu May 28 09:47:37 2020 us=174644 TLS Error: TLS object -> incoming plaintext read error
Thu May 28 09:47:37 2020 us=174655 TLS Error: TLS handshake failed
Thu May 28 09:47:37 2020 us=174875 Fatal TLS error (check_tls_errors_co), restarting
Thu May 28 09:47:37 2020 us=175045 TCP/UDP: Closing socket
Thu May 28 09:47:37 2020 us=175114 SIGUSR1[soft,tls-error] received, process restarting
Thu May 28 09:47:37 2020 us=175147 Restart pause, 5 second(s) }}}

It seems to be a function needed not present in OpenSC, add minimum version requirement in debian PPA headers to be perfect :-)

comment:5 Changed 13 months ago by Gert Döring

Not sure I can follow. What version of OpenSC is needed? Is that available as debian package?

IOW, who has to do what now?

Note: See TracTickets for help on using tickets.