No PIN entry with OpenVPN and OpenSC PKCS#11 module (Windows 7 x64) about opensc HOT 13 CLOSED

Is this openvpn as service?

On Fri, Mar 15, 2013 at 8:59 PM, neuro18 [email protected] wrote:

Hello.

I set up my OpenVPN Windows 7 x64 client to authorize with private key and
certificate stored onto my OpenPGP v2 GPF CryptoStick 1.2 smart-card. But
the OpenVPN connection fails at client's certificate verification phase.
Smart-card's activity LED indicator lights up, but a PIN entry dialog never
appears.

In use:

Windows 7 x64 Pro;
OpenVPN 2.3.0 x86_64-w64-mingw32;
OpenSC 0.13.0 x64 (x32 version returns command "openvpn --show-pkcs11-ids
opensc-pkcs11.dll" with error, so simply not usable in my case);
4096-bit RSA Auth key with respected self-signed certificate onto
smart-card.

OpenVPN auth configuration:

ca ca.crt
pkcs11-providers C:\Windows\System32\opensc-pkcs11.dll
pkcs11-id
'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'

OpenVPN log:

Fri Mar 15 22:12:30 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)]
[LZO] [PKCS11] [eurephia] [IPv6] built on Mar 7 2013
Enter Management Password:
Fri Mar 15 22:12:30 2013 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 Need hold release from management interface,
waiting...
Fri Mar 15 22:12:30 2013 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'state on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'log all on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold off'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold release'
Fri Mar 15 22:12:30 2013 PKCS#11: Adding PKCS#11 provider
'C:\Windows\System32\opensc-pkcs11.dll'
Fri Mar 15 22:12:34 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,RESOLVE,,,
Fri Mar 15 22:12:34 2013 UDPv4 link local (bound): [undef]
Fri Mar 15 22:12:34 2013 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,WAIT,,,
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,AUTH,,,
Fri Mar 15 22:12:34 2013 TLS: Initial packet from
[AF_INET]XXX.XXX.XXX.XXX:1194, sid=d3a3dde8 f91fbcc8
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=1, C=XXX, ST=XXX, L=XXX, O=XXX
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=0, C=XXX, ST=XXX, O=XXX, CN=XXX
Fri Mar 15 22:12:42 2013 PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
Fri Mar 15 22:12:42 2013 TLS_ERROR: BIO read tls_read_plaintext error:
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Fri Mar 15 22:12:42 2013 TLS Error: TLS object -> incoming plaintext read
error
Fri Mar 15 22:12:42 2013 TLS Error: TLS handshake failed
Fri Mar 15 22:12:42 2013 SIGTERM[hard,tls-error] received, process exiting
Fri Mar 15 22:12:42 2013 MANAGEMENT: >STATE:1363371162,EXITING,tls-error,,

OpenSC PKCS#11 dll module log:

http://pastebin.com/s4czqnEe

What can be done to resolve the issue?

Thanks in advance!

—
Reply to this email directly or view it on GitHub.

from opensc.

No.

It's a default installation of OpenVPN under Windows. It installs OpenVPN service, but when I successfully connect to my OpenVPN server (running on Synology DiskStation at home LAN) using cert and private key directly from files, the service is not running at that time. I think it starts only when you want to use your machine as OpenVPN server, but not just a client.

Also, there is a "tls-client" option in my .ovpn config file, if it matters.

from opensc.

How do you run openvpn exactly?

On Sat, Mar 16, 2013 at 10:55 AM, neuro18 [email protected] wrote:

No.

It's a default installation of OpenVPN under Windows. It installs OpenVPN
service, but when I successfully connect to my OpenVPN server (running on
Synology DiskStation at home LAN) using cert and private key directly from
files, the service is not running at that time. I think it starts only when
you want to use your machine as OpenVPN server, but not just a client.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15001712
.

from opensc.

Through the OpenVPN GUI with the following .ovpn config:

dev tun
tls-client

remote [my_remote_server] 1194

redirect-gateway

pull

proto udp
script-security 2

auth SHA512
cipher AES-256-CBC
tls-auth ta.key 1

dh dh2048.pem
ca ca.crt
pkcs11-providers C:\\Windows\\System32\\opensc-pkcs11.dll
pkcs11-id 'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'

verb 3

comp-lzo

reneg-sec 0

from opensc.

Maybe it's somehow connected with issue I mentioned here: #125 ,
the smart-card has 2 slots, I need to use the second one only, but can't disable the first one (even with the "create_slots_for_pins" option).

from opensc.

For using PKCS#11 via the gui, you need to use the management interface. A
sample is available for *NIX[1].

[1] https://sites.google.com/site/alonbarlev/openvpn-pkcs11

On Sat, Mar 16, 2013 at 5:58 PM, neuro18 [email protected] wrote:

Maybe it's somehow connected with issue I mentioned here: #125#125,
the smart-card has 2 slots, I need to use the second one only, but can't
disable the first one (even with the "create_slots_for_pins" option).

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15007072
.

from opensc.

@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that using these two options should be enough:

A typical set of OpenVPN options for PKCS#11

    pkcs11-providers /usr/lib/pkcs11/
    pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'

Not a word about service/gui run mode.

I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?

from opensc.

On Sat, Mar 16, 2013 at 11:49 PM, neuro18 [email protected] wrote:

@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that the following should be enough:

A typical set of OpenVPN options for PKCS#11

pkcs11-providers /usr/lib/pkcs11/
pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'

Not a word about service/gui run mode.

I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?

You should ask the openvpn mailing list.
For years the openvpn GUI was not maintained, not progressed to use
the management interface, the last year someone else took it and
should fix it properly to interact with openvpn properly to present
the PKCS#11 prompts.

You can try as administrator to run openvpn manually as interactive
program, you should be able to provide the PIN in this mode.

Regards,
Alon

from opensc.

@alonbl
I understand what you meant by asking 'service' or 'GUI'. I run OpenVPN simply in Windows command prompt

openvpn --config [myconfig.ovpn] --verb 3

and was asked for PIN and then successfully authorized. Well, just in case, will be waiting for a new GUI with PIN entry dialog support.

Alon, thank you so much!

from opensc.

Issue is closed. No developers attention required.

from opensc.

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service (under Linux)?

from opensc.

On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?

That sounds like a OpenVPN issue. With PKCS#11 the PIN is obtained by the application, then passed
to PKCS#11 via C_Login.

—
Reply to this email directly or view it on GitHub #142 (comment).

Douglas E. Engert [email protected]

from opensc.

On 25 April 2015 at 06:03, Doug Engert [email protected] wrote:

On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?

Use the management interface[1][2], this enables support of card
removal/replace PIN expiration and more.
Smartcards are dynamic device.

[1] https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt
[2] https://sites.google.com/site/alonbarlev/openvpn-pkcs11

from opensc.