Opened 10 years ago
Closed 10 years ago
#490 closed Feature Wish (fixed)
System configured PKCS#11 modules are not available
Reported by: | dwmw2 | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
OpenVPN seems to require that we specify a PKCS#11 provider module manually with the --pkcs11-providers
option. Modern systems, however, use p11-kit to provide a consistent system configuration so that applications don't have to do that. Either we should use the p11-kit libraries to automatically load the system-configured modules if no --pkcs11-providers
option is given, or perhaps we could just use the p11-kit-proxy.so
PKCS#11 module which will automatically do load them for us into different slots.
Change History (4)
comment:1 Changed 10 years ago by
Type: | Bug / Defect → Feature Wish |
---|
comment:2 Changed 10 years ago by
FWIW if you wanted to use PKCS#11 it's fairly simple to do so on a modern Linux system. Even GNOME keyring offers pure software PKCS#11 functionality these days; you don't need any hardware. Just import a cert into GNOME keyring using the seahorse GUI application, and then it'll show up (after the patches I just sent to the mailing list) when you run openvpn --show-pkcs11-ids
.
Patches at http://thread.gmane.org/gmane.network.openvpn.devel/9342
comment:3 Changed 10 years ago by
Owner: | set to Steffan Karger |
---|---|
Status: | new → accepted |
comment:4 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Thanks for the patches. As ACKed on the list, I've merged both patches to master and release/2.3:
commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1 (release/2.3)
commit 3c6d32205db88348c07c720b710b41548497819c (master)
Author: David Woodhouse
Date: Thu Dec 11 13:03:35 2014 +0000
pkcs11: Load p11-kit-proxy.so module by default
commit a91a06cb291414c9e657377e44f7a57343ae7f5a (release/2.3)
commit 7c1d614c5c5282a73cb799f919eac6750363783a (master)
Author: David Woodhouse
Date: Thu Dec 18 12:25:06 2014 +0000
Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
Patches are welcome.
Of the currently active developers, nobody really uses pkcs#11, so we're not going to implement this any time soon.