Opened 3 years ago

Last modified 3 years ago

#956 new Bug / Defect

Management Interface does not query for PKCS#11 token password in daemon mode

Reported by: rluta Owned by:
Priority: major Milestone:
Component: Management Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

When running with a pkcs hardware that requires a PIN code to unlock, Openvpn management interface fails to prompt for PIN Code and instead prompts only for Token Insertion.

Example config file:

client
remote myserver
dev tun
persist-tun
persist-key
verb 3
ca ca.crt
keepalive 10 60
cipher AES-256-CBC
comp-lzo
nobind
pkcs11-providers /usr/local/lib/libeTPkcs11.dylib
pkcs11-cert-private 1
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0256f233/ACE\x20eToken/XXXXXX'
pkcs11-pin-cache 3600
management 127.0.0.1 8888
management-hold
management-query-passwords

when run with command "openvpn --config config.ovpn" connecting to the management port yields the following dialog:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>HOLD:Waiting for hold release:0
hold release
SUCCESS: hold release succeeded
>PASSWORD:Need 'ACE eToken token' password
password 'ACE eToken token' MyPINCode
SUCCESS: 'ACE eToken token' password entered, but not yet verified
...

and completes connection successfully
but when run with command "openvpn --daemon --config config.ovpn", management dialog is:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>HOLD:Waiting for hold release:0
hold release
SUCCESS: hold release succeeded
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token
needok 'token-insertion-request' ok
SUCCESS: 'token-insertion-request' needok-confirmation entered, but not yet verified
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token
...

The daemon loops on needok since it can't read the token successfully without the PIN Code.

Change History (1)

comment:1 Changed 3 years ago by selvanair

Most likely its looping with "token-insertion-request" because the daemon is not able to see the token. Password prompt will not happen if there is no accessible token. Possibly some permissions issue when daemonized?

Note: See TracTickets for help on using tickets.