Opened 10 years ago

Closed 9 years ago

#490 closed Feature Wish (fixed)

System configured PKCS#11 modules are not available

Reported by: dwmw2 Owned by: Steffan Karger
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


OpenVPN seems to require that we specify a PKCS#11 provider module manually with the --pkcs11-providers option. Modern systems, however, use p11-kit to provide a consistent system configuration so that applications don't have to do that. Either we should use the p11-kit libraries to automatically load the system-configured modules if no --pkcs11-providers option is given, or perhaps we could just use the PKCS#11 module which will automatically do load them for us into different slots.

Change History (4)

comment:1 Changed 10 years ago by Gert Döring

Type: Bug / DefectFeature Wish

Patches are welcome.

Of the currently active developers, nobody really uses pkcs#11, so we're not going to implement this any time soon.

comment:2 Changed 10 years ago by dwmw2

FWIW if you wanted to use PKCS#11 it's fairly simple to do so on a modern Linux system. Even GNOME keyring offers pure software PKCS#11 functionality these days; you don't need any hardware. Just import a cert into GNOME keyring using the seahorse GUI application, and then it'll show up (after the patches I just sent to the mailing list) when you run openvpn --show-pkcs11-ids.

Patches at

comment:3 Changed 10 years ago by Steffan Karger

Owner: set to Steffan Karger
Status: newaccepted

comment:4 Changed 9 years ago by Gert Döring

Resolution: fixed
Status: acceptedclosed

Thanks for the patches. As ACKed on the list, I've merged both patches to master and release/2.3:

commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1 (release/2.3)
commit 3c6d32205db88348c07c720b710b41548497819c (master)

Author: David Woodhouse
Date: Thu Dec 11 13:03:35 2014 +0000

pkcs11: Load module by default

commit a91a06cb291414c9e657377e44f7a57343ae7f5a (release/2.3)
commit 7c1d614c5c5282a73cb799f919eac6750363783a (master)

Author: David Woodhouse
Date: Thu Dec 18 12:25:06 2014 +0000

Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present

Note: See TracTickets for help on using tickets.