id summary reporter owner description type status priority milestone component version severity resolution keywords cc 744 Automatic restarting the VPN connection fails, if smartcard authentication is used Bjoern Voigt "When OpenVPN is configured with client SSL certificates on smartcards, only the initial smartcard authentication works. After some time the server gets an ""inactivity timeout"" and forces the client to reconnect: {{{ Thu Sep 29 18:09:44 2016 voigtmail/6.7.8.9:60430 [myusername] Inactivity timeout (--ping-restart), restarting Thu Sep 29 18:53:58 2016 5.6.7.8:60430 TLS: Initial packet from [AF_INET]5.6.7.8:60430, sid=b23ecb44 b7950179 }}} With the management interface, the user enters the correct PIN for the smartcard again: {{{ >HOLD:Waiting for hold release hold release SUCCESS: hold release succeeded >PASSWORD:Need 'PIV_II (PIV Card Holder pin) token' password password 'PIV_II (PIV Card Holder pin) token' 123456 SUCCESS: 'PIV_II (PIV Card Holder pin) token' password entered, but not yet verified >HOLD:Waiting for hold release }}} But the OpenVPN client is unable to get the smartcard certificate a second time. The OpenVPN client log: {{{ Thu Sep 29 20:49:11 2016 MANAGEMENT: CMD 'hold release' Thu Sep 29 20:49:11 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Sep 29 20:49:11 2016 UDPv4 link local: [undef] Thu Sep 29 20:49:11 2016 UDPv4 link remote: [AF_INET]100.1.2.3:1194 Thu Sep 29 20:49:11 2016 TLS: Initial packet from [AF_INET]176.28.8.208:1194, sid=fe884eab 3d62abcb Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=My CA Thu Sep 29 20:49:11 2016 VERIFY OK: depth=1, CN=My CA Thu Sep 29 20:49:11 2016 Validating certificate key usage Thu Sep 29 20:49:11 2016 ++ Certificate has key usage 00a0, expects 00a0 Thu Sep 29 20:49:11 2016 VERIFY KU OK Thu Sep 29 20:49:11 2016 Validating certificate extended key usage Thu Sep 29 20:49:11 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Sep 29 20:49:11 2016 VERIFY EKU OK Thu Sep 29 20:49:11 2016 CRL CHECK OK: CN=www.my-domain.com Thu Sep 29 20:49:11 2016 VERIFY OK: depth=0, CN=www.my-domain.com Thu Sep 29 20:49:17 2016 MANAGEMENT: CMD 'password [...]' Thu Sep 29 20:49:17 2016 PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR' Thu Sep 29 20:49:17 2016 OpenSSL: error:14099006:SSL routines:ssl3_send_client_verify:EVP lib Thu Sep 29 20:49:17 2016 TLS_ERROR: BIO read tls_read_plaintext error Thu Sep 29 20:49:17 2016 TLS Error: TLS object -> incoming plaintext read error Thu Sep 29 20:49:17 2016 TLS Error: TLS handshake failed Thu Sep 29 20:49:17 2016 SIGUSR1[soft,tls-error] received, process restarting }}} The first error ""PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'"" was already discussed in the OpenSC mailing list, unfortunately without results: http://opensc.1086184.n5.nabble.com/C-Login-returns-CKR-GENERAL-ERROR-SCardBeginTransaction-failed-0x8010001d-td15288.html The OpenVPN server shows this in the logs: {{{ Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 18:54:58 2016 5.6.7.8:60430 TLS Error: TLS handshake failed Thu Sep 29 18:54:58 2016 5.6.7.8:60430 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:47:11 2016 5.6.7.8:56393 TLS: Initial packet from [AF_INET]5.6.7.8:56393, sid=39e1ac75 5fb99acd Thu Sep 29 20:47:51 2016 5.6.7.8:43099 TLS: Initial packet from [AF_INET]5.6.7.8:43099, sid=38c31726 86110326 Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:48:11 2016 5.6.7.8:56393 TLS Error: TLS handshake failed Thu Sep 29 20:48:11 2016 5.6.7.8:56393 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:48:51 2016 5.6.7.8:43099 TLS Error: TLS handshake failed Thu Sep 29 20:48:51 2016 5.6.7.8:43099 SIGUSR1[soft,tls-error] received, client-instance restarting Thu Sep 29 20:49:11 2016 5.6.7.8:38836 TLS: Initial packet from [AF_INET]5.6.7.8:38836, sid=246bffc5 ed13edad Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Sep 29 20:50:11 2016 5.6.7.8:38836 TLS Error: TLS handshake failed Thu Sep 29 20:50:11 2016 5.6.7.8:38836 SIGUSR1[soft,tls-error] received, client-instance restarting }}} The failure can be resolved with restarting the OpenVPN client. Of course, also the smartcard certificates can be replaced with software certificates. My setup: * OpenVPN 2.3.12 * OpenVPN Server: Ubuntu 14.04, IP 100.1.2.3 (changed) * OpenVPN Client: openSUSE Tumbleweed 20160926, IP 5.6.7.8 (changed) * OpenSC 0.16 * PKCS11 Helper 1.11 * Authentication with 2048 Bit EasyRSA certificates (both client and server; server: software certificate; client: certificate on the Yubikey 4) * Smartcard: Yubikey 4 in PIV mode" Bug / Defect new major Generic / unclassified OpenVPN 2.3.12 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) smartcard, certificate, PIV, Yubikey, OpenSC David Sommerseth Steffan Karger