Opened 12 years ago

Last modified 8 years ago

#92 new Bug / Defect

pkcs#11 rekeying fails unless 'script-security 2 system' is used

Reported by: JJK Owned by:
Priority: minor Milestone:
Component: Crypto Version: OpenVPN 2.1.0 / 2.1.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: opensc volunteer
Cc: james@…


rekeying fails when an opensc based pkcs#11 driver is used. This is due to the way OpenVPN forks and execs itself. By adding

script-security 2 system

rekeying does succeed.
The opensc pkcs#11 driver tracks the passwords entered via the process id; in normal operation , OpenVPN seems to switch process ids every time it executes an external program, such as /sbin/ip and 'route' .

Change History (7)

comment:1 Changed 11 years ago by alonbl


If you use PKCS#11 you must use the management interface to enter passphases.

As PKCS#11 can expire password at any given time, also if card is removed/insert a passphrase will be needed.

comment:2 Changed 10 years ago by David Sommerseth

Alon, are you sure this isn't an issue?

How I understand it, when using the opensc pkcs#11 the openvpn connection drops if the openvpn session does a re-keying caused by --reneg-* settings. Or is it designed like it should ask for the pkcs#11 passphrase each time?

comment:3 Changed 9 years ago by Samuli Seppänen

Keywords: opensc added

Whether the actual report is valid or not, the workaround proposed above no longer works, as there is no method "system" in script-security option anymore.

comment:4 Changed 9 years ago by Gert Döring

Cc: Samuli Seppänen added

Seems we really need to find a developer who has access to a pkcs#11 smartcard, to figure out whether all these pkcs#11 tickets are still valid or not.

Samuli, can you get someone from OpenVPN Tech onto this? If it's broken, it is broken for OpenVPN Connect on Linux and MacOS as well, as that's also 2.x code base...

comment:5 Changed 9 years ago by JJK

I can provide some pkcs11 tokens (old Aladdin eTokens) for some of the core developers. Those tokens can be accessed using opensc and/or the proprietary Aladdin driver software.

comment:6 Changed 8 years ago by dwmw2

You don't need hardware; GNOME keyring offers a PKCS#11 module these days. And there's also SoftHSM.

comment:7 Changed 8 years ago by Samuli Seppänen

Cc: james@… added; Samuli Seppänen removed
Keywords: volunteer added
Note: See TracTickets for help on using tickets.