Opened 3 years ago

Last modified 3 months ago

#92 new Bug / Defect

pkcs#11 rekeying fails unless 'script-security 2 system' is used

Reported by: janjust Owned by:
Priority: minor Milestone:
Component: Crypto Version: 2.1.0 / 2.1.1
Severity: Not set (if unsure, select this one) Keywords: opensc
Cc: samuli

Description

rekeying fails when an opensc based pkcs#11 driver is used. This is due to the way OpenVPN forks and execs itself. By adding

script-security 2 system

rekeying does succeed.
The opensc pkcs#11 driver tracks the passwords entered via the process id; in normal operation , OpenVPN seems to switch process ids every time it executes an external program, such as /sbin/ip and 'route' .

Change History (5)

comment:1 Changed 23 months ago by alonbl

INVALID.

If you use PKCS#11 you must use the management interface to enter passphases.

As PKCS#11 can expire password at any given time, also if card is removed/insert a passphrase will be needed.

comment:2 Changed 20 months ago by dazo

Alon, are you sure this isn't an issue?

How I understand it, when using the opensc pkcs#11 the openvpn connection drops if the openvpn session does a re-keying caused by --reneg-* settings. Or is it designed like it should ask for the pkcs#11 passphrase each time?

comment:3 Changed 9 months ago by samuli

  • Keywords opensc added

Whether the actual report is valid or not, the workaround proposed above no longer works, as there is no method "system" in script-security option anymore.

comment:4 Changed 3 months ago by cron2

  • Cc samuli added

Seems we really need to find a developer who has access to a pkcs#11 smartcard, to figure out whether all these pkcs#11 tickets are still valid or not.

Samuli, can you get someone from OpenVPN Tech onto this? If it's broken, it is broken for OpenVPN Connect on Linux and MacOS as well, as that's also 2.x code base...

comment:5 Changed 3 months ago by janjust

I can provide some pkcs11 tokens (old Aladdin eTokens) for some of the core developers. Those tokens can be accessed using opensc and/or the proprietary Aladdin driver software.

Note: See TracTickets for help on using tickets.