Opened 4 years ago

Last modified 4 years ago

#744 new Bug / Defect

Automatic restarting the VPN connection fails, if smartcard authentication is used

Reported by: Bjoern Voigt Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.12 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: smartcard, certificate, PIV, Yubikey, OpenSC
Cc: David Sommerseth, Steffan Karger

Description

When OpenVPN is configured with client SSL certificates on smartcards, only the initial smartcard authentication works.

After some time the server gets an "inactivity timeout" and forces the client to reconnect:

Thu Sep 29 18:09:44 2016 voigtmail/6.7.8.9:60430 [myusername] Inactivity timeout (--ping-restart), restarting
Thu Sep 29 18:53:58 2016 5.6.7.8:60430 TLS: Initial packet from [AF_INET]5.6.7.8:60430, sid=b23ecb44 b7950179

With the management interface, the user enters the correct PIN for the smartcard again:

>HOLD:Waiting for hold release
hold release
SUCCESS: hold release succeeded
>PASSWORD:Need 'PIV_II (PIV Card Holder pin) token' password
password 'PIV_II (PIV Card Holder pin) token' 123456
SUCCESS: 'PIV_II (PIV Card Holder pin) token' password entered, but not yet verified
>HOLD:Waiting for hold release

But the OpenVPN client is unable to get the smartcard certificate a second time. The OpenVPN client log:

Thu Sep 29 20:49:11 2016 MANAGEMENT: CMD 'hold release'
Thu Sep 29 20:49:11 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Sep 29 20:49:11 2016 UDPv4 link local: [undef]
Thu Sep 29 20:49:11 2016 UDPv4 link remote: [AF_INET]100.1.2.3:1194
Thu Sep 29 20:49:11 2016 TLS: Initial packet from [AF_INET]176.28.8.208:1194, sid=fe884eab 3d62abcb
Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=My CA
Thu Sep 29 20:49:11 2016 VERIFY OK: depth=1, CN=My CA
Thu Sep 29 20:49:11 2016 Validating certificate key usage
Thu Sep 29 20:49:11 2016 ++ Certificate has key usage  00a0, expects 00a0
Thu Sep 29 20:49:11 2016 VERIFY KU OK
Thu Sep 29 20:49:11 2016 Validating certificate extended key usage
Thu Sep 29 20:49:11 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Sep 29 20:49:11 2016 VERIFY EKU OK
Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=www.my-domain.com
Thu Sep 29 20:49:11 2016 VERIFY OK: depth=0, CN=www.my-domain.com
Thu Sep 29 20:49:17 2016 MANAGEMENT: CMD 'password [...]'
Thu Sep 29 20:49:17 2016 PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'
Thu Sep 29 20:49:17 2016 OpenSSL: error:14099006:SSL routines:ssl3_send_client_verify:EVP lib
Thu Sep 29 20:49:17 2016 TLS_ERROR: BIO read tls_read_plaintext error
Thu Sep 29 20:49:17 2016 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 29 20:49:17 2016 TLS Error: TLS handshake failed
Thu Sep 29 20:49:17 2016 SIGUSR1[soft,tls-error] received, process restarting

The first error "PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'" was already discussed in the OpenSC mailing list, unfortunately without results:

http://opensc.1086184.n5.nabble.com/C-Login-returns-CKR-GENERAL-ERROR-SCardBeginTransaction-failed-0x8010001d-td15288.html

The OpenVPN server shows this in the logs:

Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS handshake failed
Thu Sep 29 18:54:58 2016 5.6.7.8:60430 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Sep 29 20:47:11 2016 5.6.7.8:56393 TLS: Initial packet from [AF_INET]5.6.7.8:56393, sid=39e1ac75 5fb99acd
Thu Sep 29 20:47:51 2016 5.6.7.8:43099 TLS: Initial packet from [AF_INET]5.6.7.8:43099, sid=38c31726 86110326
Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS handshake failed
Thu Sep 29 20:48:11 2016 5.6.7.8:56393 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS handshake failed
Thu Sep 29 20:48:51 2016 5.6.7.8:43099 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Sep 29 20:49:11 2016 5.6.7.8:38836 TLS: Initial packet from [AF_INET]5.6.7.8:38836, sid=246bffc5 ed13edad
Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS handshake failed
Thu Sep 29 20:50:11 2016 5.6.7.8:38836 SIGUSR1[soft,tls-error] received, client-instance restarting

The failure can be resolved with restarting the OpenVPN client. Of course, also the smartcard certificates can be replaced with software certificates.

My setup:

  • OpenVPN 2.3.12
  • OpenVPN Server: Ubuntu 14.04, IP 100.1.2.3 (changed)
  • OpenVPN Client: openSUSE Tumbleweed 20160926, IP 5.6.7.8 (changed)
  • OpenSC 0.16
  • PKCS11 Helper 1.11
  • Authentication with 2048 Bit EasyRSA certificates (both client and server; server: software certificate; client: certificate on the Yubikey 4)
  • Smartcard: Yubikey 4 in PIV mode

Change History (2)

comment:1 Changed 4 years ago by Gert Döring

Cc: David Sommerseth Steffan Karger added

copying in dazo, syzzer "this is linux, yubikey, maybe one of you has an idea"

comment:2 Changed 4 years ago by Bjoern Voigt

The timeout itself could be avoided with the setting "reneg-sec 0". With a stable network the described error becomes unlikely.

Note: See TracTickets for help on using tickets.