Opened 5 years ago
Last modified 5 years ago
#956 new Bug / Defect
Management Interface does not query for PKCS#11 token password in daemon mode
Reported by: | rluta | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Management | Version: | OpenVPN 2.4.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
When running with a pkcs hardware that requires a PIN code to unlock, Openvpn management interface fails to prompt for PIN Code and instead prompts only for Token Insertion.
Example config file:
client remote myserver dev tun persist-tun persist-key verb 3 ca ca.crt keepalive 10 60 cipher AES-256-CBC comp-lzo nobind pkcs11-providers /usr/local/lib/libeTPkcs11.dylib pkcs11-cert-private 1 pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0256f233/ACE\x20eToken/XXXXXX' pkcs11-pin-cache 3600 management 127.0.0.1 8888 management-hold management-query-passwords
when run with command "openvpn --config config.ovpn" connecting to the management port yields the following dialog:
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info >HOLD:Waiting for hold release:0 hold release SUCCESS: hold release succeeded >PASSWORD:Need 'ACE eToken token' password password 'ACE eToken token' MyPINCode SUCCESS: 'ACE eToken token' password entered, but not yet verified ...
and completes connection successfully
but when run with command "openvpn --daemon --config config.ovpn", management dialog is:
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info >HOLD:Waiting for hold release:0 hold release SUCCESS: hold release succeeded >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token needok 'token-insertion-request' ok SUCCESS: 'token-insertion-request' needok-confirmation entered, but not yet verified >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token ...
The daemon loops on needok since it can't read the token successfully without the PIN Code.
Note: See
TracTickets for help on using
tickets.
Most likely its looping with "token-insertion-request" because the daemon is not able to see the token. Password prompt will not happen if there is no accessible token. Possibly some permissions issue when daemonized?