Opened 4 years ago
Closed 4 years ago
#1249 closed Bug / Defect (fixed-external)
PKCS#11 (OpenSC) not working with OpenVPN on Mac OS X
Reported by: | squeezy | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hi,
I'm trying to use my Yubikey 5C to connect to an OpenVPN server.
The certificate was created on the Yubikey (CSR) using the "Yubikey PIV Manager" and signed by CA used for signed the certificate's OpenVPN server.
Trying to connect always results in an error when the OpenVPN client ask the PIN to unlock the certificate storage on the Yubikey (slot 9a).
I use OpenSC tools and get serialized ID from cert imported. As client VPN, I use Viscosity.
OpenVPN server version 2.4.6 is hosted on PFsense version 2.4.4. Authentication users is done with an OpenlDAP server (works well).
Following the error message when I fill it the PIN asked after user & password :
2020-02-04 11:52:08: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID' 2020-02-04 11:52:08: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib 2020-02-04 11:52:08: TLS_ERROR: BIO read tls_read_plaintext error 2020-02-04 11:52:08: TLS Error: TLS object -> incoming plaintext read error 2020-02-04 11:52:08: TLS Error: TLS handshake failed 2020-02-04 11:52:08: TCP/UDP: Closing socket
The configuration file from client use arguments :
- pkcs11-providers /Library/OpenSC/lib/opensc-pkcs11.so
- pkcs11-id 'piv_II/PKCS\x2315\x20emulated/fe58401dfe2196c3/token_name/01'
Is there a bug with PKCS11 ?
Anyone as an idea or a solution plz ?
Thanks for reading,
Change History (5)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
This is a client-side error, nothing to do with the server 2.4.6 that you listed as the bug report for. As you are using viscosity client, which ships with a custom build of OpenVPN, you will have to contact them to resolve this.
Likely related to https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/63b81ed6-dce7-94b8-0dd5-8864a8314ec6%40nikhef.nl/#msg36636383 If so, fix is in pkcs11-helper.
comment:3 Changed 4 years ago by
Hi,
Thank you for your answer.
I have contacted Viscosity support and waiting for their return.
I have tested with openvpn client on windows and I got the same error, same thing on ubuntu. It's not a problem from OS or which client is used..
I don't understand how to fix pkcs11-helper.. Could you help me plz ?
comment:4 Changed 4 years ago by
Hi,
I figured it out.Thank you for your help.
An Administrator could marks as resolved plz ?
Kind regards
comment:5 Changed 4 years ago by
Resolution: | → fixed-external |
---|---|
Status: | new → closed |
Edit with verb 9 :