Opened 13 years ago

Closed 15 months ago

#92 closed Bug / Defect (fixed)

pkcs#11 rekeying fails unless 'script-security 2 system' is used

Reported by: JJK Owned by:
Priority: minor Milestone:
Component: Crypto Version: OpenVPN 2.1.0 / 2.1.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: opensc volunteer
Cc: becm

Description

rekeying fails when an opensc based pkcs#11 driver is used. This is due to the way OpenVPN forks and execs itself. By adding

script-security 2 system

rekeying does succeed.
The opensc pkcs#11 driver tracks the passwords entered via the process id; in normal operation , OpenVPN seems to switch process ids every time it executes an external program, such as /sbin/ip and 'route' .

Change History (9)

comment:1 Changed 12 years ago by alonbl

INVALID.

If you use PKCS#11 you must use the management interface to enter passphases.

As PKCS#11 can expire password at any given time, also if card is removed/insert a passphrase will be needed.

comment:2 Changed 12 years ago by David Sommerseth

Alon, are you sure this isn't an issue?

How I understand it, when using the opensc pkcs#11 the openvpn connection drops if the openvpn session does a re-keying caused by --reneg-* settings. Or is it designed like it should ask for the pkcs#11 passphrase each time?

comment:3 Changed 11 years ago by Samuli Seppänen

Keywords: opensc added

Whether the actual report is valid or not, the workaround proposed above no longer works, as there is no method "system" in script-security option anymore.

comment:4 Changed 10 years ago by Gert Döring

Cc: Samuli Seppänen added

Seems we really need to find a developer who has access to a pkcs#11 smartcard, to figure out whether all these pkcs#11 tickets are still valid or not.

Samuli, can you get someone from OpenVPN Tech onto this? If it's broken, it is broken for OpenVPN Connect on Linux and MacOS as well, as that's also 2.x code base...

comment:5 Changed 10 years ago by JJK

I can provide some pkcs11 tokens (old Aladdin eTokens) for some of the core developers. Those tokens can be accessed using opensc and/or the proprietary Aladdin driver software.

comment:6 Changed 9 years ago by dwmw2

You don't need hardware; GNOME keyring offers a PKCS#11 module these days. And there's also SoftHSM.

comment:7 Changed 9 years ago by Samuli Seppänen

Cc: james@… added; Samuli Seppänen removed
Keywords: volunteer added

comment:8 Changed 15 months ago by Gert Döring

Cc: becm added; james@… removed

The code has seen a few fixes related to fork() getting in the way of pkcs11 (et al), so I guess this is no longer an issue.

Can anyone confirm? Then we can close this.

comment:9 Changed 15 months ago by Gert Döring

Resolution: fixed
Status: newclosed

A-ha. We fixed this all in 2019 / 2.4, it seems...

https://github.com/OpenVPN/openvpn/pull/121

(and maybe already earlier when changing the initialzation sequence).

Closing this. pkcs11 related bugs are coming back to haunt us, but then they will need to go to new issues.

Note: See TracTickets for help on using tickets.