pkcs#11 rekeying fails unless 'script-security 2 system' is used
|Reported by:||janjust||Owned by:|
|Component:||Crypto||Version:||2.1.0 / 2.1.1|
|Severity:||Not set (if unsure, select this one)||Keywords:||opensc volunteer|
rekeying fails when an opensc based pkcs#11 driver is used. This is due to the way OpenVPN forks and execs itself. By adding
script-security 2 system
rekeying does succeed.
The opensc pkcs#11 driver tracks the passwords entered via the process id; in normal operation , OpenVPN seems to switch process ids every time it executes an external program, such as /sbin/ip and 'route' .