System configured PKCS#11 modules are not available

[dwmw2]

OpenVPN seems to require that we specify a PKCS#11 provider module manually with the --pkcs11-providers option. Modern systems, however, use p11-kit to provide a consistent system configuration so that applications don't have to do that. Either we should use the p11-kit libraries to automatically load the system-configured modules if no --pkcs11-providers option is given, or perhaps we could just use the p11-kit-proxy.so PKCS#11 module which will automatically do load them for us into different slots.

[Gert Döring]

Patches are welcome.

Of the currently active developers, nobody really uses pkcs#11, so we're not going to implement this any time soon.

[dwmw2]

FWIW if you wanted to use PKCS#11 it's fairly simple to do so on a modern Linux system. Even GNOME keyring offers pure software PKCS#11 functionality these days; you don't need any hardware. Just import a cert into GNOME keyring using the seahorse GUI application, and then it'll show up (after the patches I just sent to the mailing list) when you run openvpn --show-pkcs11-ids.

Patches at ​http://thread.gmane.org/gmane.network.openvpn.devel/9342

[Gert Döring]

Thanks for the patches. As ACKed on the list, I've merged both patches to master and release/2.3:

commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1 (release/2.3)
commit 3c6d32205db88348c07c720b710b41548497819c (master)

Author: David Woodhouse
Date: Thu Dec 11 13:03:35 2014 +0000

pkcs11: Load p11-kit-proxy.so module by default

commit a91a06cb291414c9e657377e44f7a57343ae7f5a (release/2.3)
commit 7c1d614c5c5282a73cb799f919eac6750363783a (master)

Author: David Woodhouse
Date: Thu Dec 18 12:25:06 2014 +0000

Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present