Opened 13 years ago
Closed 15 months ago
#92 closed Bug / Defect (fixed)
pkcs#11 rekeying fails unless 'script-security 2 system' is used
Reported by: | JJK | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.1.0 / 2.1.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | opensc volunteer |
Cc: | becm |
Description
rekeying fails when an opensc based pkcs#11 driver is used. This is due to the way OpenVPN forks and execs itself. By adding
script-security 2 system
rekeying does succeed.
The opensc pkcs#11 driver tracks the passwords entered via the process id; in normal operation , OpenVPN seems to switch process ids every time it executes an external program, such as /sbin/ip and 'route' .
Change History (9)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
comment:3 Changed 11 years ago by
Keywords: | opensc added |
---|
Whether the actual report is valid or not, the workaround proposed above no longer works, as there is no method "system" in script-security option anymore.
comment:4 Changed 10 years ago by
Cc: | Samuli Seppänen added |
---|
Seems we really need to find a developer who has access to a pkcs#11 smartcard, to figure out whether all these pkcs#11 tickets are still valid or not.
Samuli, can you get someone from OpenVPN Tech onto this? If it's broken, it is broken for OpenVPN Connect on Linux and MacOS as well, as that's also 2.x code base...
comment:5 Changed 10 years ago by
I can provide some pkcs11 tokens (old Aladdin eTokens) for some of the core developers. Those tokens can be accessed using opensc and/or the proprietary Aladdin driver software.
comment:6 Changed 9 years ago by
You don't need hardware; GNOME keyring offers a PKCS#11 module these days. And there's also SoftHSM.
comment:7 Changed 9 years ago by
Cc: | james@… added; Samuli Seppänen removed |
---|---|
Keywords: | volunteer added |
comment:8 Changed 15 months ago by
Cc: | becm added; james@… removed |
---|
The code has seen a few fixes related to fork() getting in the way of pkcs11 (et al), so I guess this is no longer an issue.
Can anyone confirm? Then we can close this.
comment:9 Changed 15 months ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
A-ha. We fixed this all in 2019 / 2.4, it seems...
https://github.com/OpenVPN/openvpn/pull/121
(and maybe already earlier when changing the initialzation sequence).
Closing this. pkcs11 related bugs are coming back to haunt us, but then they will need to go to new issues.
INVALID.
If you use PKCS#11 you must use the management interface to enter passphases.
As PKCS#11 can expire password at any given time, also if card is removed/insert a passphrase will be needed.