Comments (13)
Is this openvpn as service?
On Fri, Mar 15, 2013 at 8:59 PM, neuro18 [email protected] wrote:
Hello.
I set up my OpenVPN Windows 7 x64 client to authorize with private key and
certificate stored onto my OpenPGP v2 GPF CryptoStick 1.2 smart-card. But
the OpenVPN connection fails at client's certificate verification phase.
Smart-card's activity LED indicator lights up, but a PIN entry dialog never
appears.In use:
Windows 7 x64 Pro;
OpenVPN 2.3.0 x86_64-w64-mingw32;
OpenSC 0.13.0 x64 (x32 version returns command "openvpn --show-pkcs11-ids
opensc-pkcs11.dll" with error, so simply not usable in my case);
4096-bit RSA Auth key with respected self-signed certificate onto
smart-card.OpenVPN auth configuration:
ca ca.crt
pkcs11-providers C:\Windows\System32\opensc-pkcs11.dll
pkcs11-id
'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'OpenVPN log:
Fri Mar 15 22:12:30 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)]
[LZO] [PKCS11] [eurephia] [IPv6] built on Mar 7 2013
Enter Management Password:
Fri Mar 15 22:12:30 2013 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 Need hold release from management interface,
waiting...
Fri Mar 15 22:12:30 2013 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'state on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'log all on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold off'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold release'
Fri Mar 15 22:12:30 2013 PKCS#11: Adding PKCS#11 provider
'C:\Windows\System32\opensc-pkcs11.dll'
Fri Mar 15 22:12:34 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,RESOLVE,,,
Fri Mar 15 22:12:34 2013 UDPv4 link local (bound): [undef]
Fri Mar 15 22:12:34 2013 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,WAIT,,,
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,AUTH,,,
Fri Mar 15 22:12:34 2013 TLS: Initial packet from
[AF_INET]XXX.XXX.XXX.XXX:1194, sid=d3a3dde8 f91fbcc8
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=1, C=XXX, ST=XXX, L=XXX, O=XXX
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=0, C=XXX, ST=XXX, O=XXX, CN=XXX
Fri Mar 15 22:12:42 2013 PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
Fri Mar 15 22:12:42 2013 TLS_ERROR: BIO read tls_read_plaintext error:
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Fri Mar 15 22:12:42 2013 TLS Error: TLS object -> incoming plaintext read
error
Fri Mar 15 22:12:42 2013 TLS Error: TLS handshake failed
Fri Mar 15 22:12:42 2013 SIGTERM[hard,tls-error] received, process exiting
Fri Mar 15 22:12:42 2013 MANAGEMENT: >STATE:1363371162,EXITING,tls-error,,OpenSC PKCS#11 dll module log:
What can be done to resolve the issue?
Thanks in advance!
—
Reply to this email directly or view it on GitHub.
from opensc.
No.
It's a default installation of OpenVPN under Windows. It installs OpenVPN service, but when I successfully connect to my OpenVPN server (running on Synology DiskStation at home LAN) using cert and private key directly from files, the service is not running at that time. I think it starts only when you want to use your machine as OpenVPN server, but not just a client.
Also, there is a "tls-client" option in my .ovpn config file, if it matters.
from opensc.
How do you run openvpn exactly?
On Sat, Mar 16, 2013 at 10:55 AM, neuro18 [email protected] wrote:
No.
It's a default installation of OpenVPN under Windows. It installs OpenVPN
service, but when I successfully connect to my OpenVPN server (running on
Synology DiskStation at home LAN) using cert and private key directly from
files, the service is not running at that time. I think it starts only when
you want to use your machine as OpenVPN server, but not just a client.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15001712
.
from opensc.
Through the OpenVPN GUI with the following .ovpn config:
dev tun
tls-client
remote [my_remote_server] 1194
redirect-gateway
pull
proto udp
script-security 2
auth SHA512
cipher AES-256-CBC
tls-auth ta.key 1
dh dh2048.pem
ca ca.crt
pkcs11-providers C:\\Windows\\System32\\opensc-pkcs11.dll
pkcs11-id 'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'
verb 3
comp-lzo
reneg-sec 0
from opensc.
Maybe it's somehow connected with issue I mentioned here: #125 ,
the smart-card has 2 slots, I need to use the second one only, but can't disable the first one (even with the "create_slots_for_pins" option).
from opensc.
For using PKCS#11 via the gui, you need to use the management interface. A
sample is available for *NIX[1].
[1] https://sites.google.com/site/alonbarlev/openvpn-pkcs11
On Sat, Mar 16, 2013 at 5:58 PM, neuro18 [email protected] wrote:
Maybe it's somehow connected with issue I mentioned here: #125#125,
the smart-card has 2 slots, I need to use the second one only, but can't
disable the first one (even with the "create_slots_for_pins" option).—
Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15007072
.
from opensc.
@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that using these two options should be enough:
A typical set of OpenVPN options for PKCS#11
pkcs11-providers /usr/lib/pkcs11/
pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
Not a word about service/gui run mode.
I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?
from opensc.
On Sat, Mar 16, 2013 at 11:49 PM, neuro18 [email protected] wrote:
@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that the following should be enough:A typical set of OpenVPN options for PKCS#11
pkcs11-providers /usr/lib/pkcs11/ pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
Not a word about service/gui run mode.
I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?
You should ask the openvpn mailing list.
For years the openvpn GUI was not maintained, not progressed to use
the management interface, the last year someone else took it and
should fix it properly to interact with openvpn properly to present
the PKCS#11 prompts.
You can try as administrator to run openvpn manually as interactive
program, you should be able to provide the PIN in this mode.
Regards,
Alon
from opensc.
@alonbl
I understand what you meant by asking 'service' or 'GUI'. I run OpenVPN simply in Windows command prompt
openvpn --config [myconfig.ovpn] --verb 3
and was asked for PIN and then successfully authorized. Well, just in case, will be waiting for a new GUI with PIN entry dialog support.
Alon, thank you so much!
from opensc.
Issue is closed. No developers attention required.
from opensc.
What can be done to enable pin entry dialog when an openvpn client instance is run as a background service (under Linux)?
from opensc.
On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:
What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?
That sounds like a OpenVPN issue. With PKCS#11 the PIN is obtained by the application, then passed
to PKCS#11 via C_Login.
—
Reply to this email directly or view it on GitHub #142 (comment).
Douglas E. Engert [email protected]
from opensc.
On 25 April 2015 at 06:03, Doug Engert [email protected] wrote:
On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:
What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?
Use the management interface[1][2], this enables support of card
removal/replace PIN expiration and more.
Smartcards are dynamic device.
[1] https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt
[2] https://sites.google.com/site/alonbarlev/openvpn-pkcs11
from opensc.
Related Issues (20)
- Minidriver function CardRSADecrypt returns incorrect length when unpadding SC_ALGORITHM_RSA_RAW/CARD_PADDING_PKCS1 HOT 2
- pkcs11-tool fails with (GetSlotInfo failed, CKR_MECHANISM_INVALID) since 0.24 when built with --disable-openssl HOT 9
- How to Check if PKCS11 module is valid or not HOT 1
- OpenPGP card v3.4 pkcs15-init reports not supported private key HOT 13
- Use of biometrics to un-lock smart card HOT 5
- Automate provisioning of WinGet package for OpenSC HOT 8
- Using OpenSC enabled token for signing PDF documents in Adobe HOT 2
- Card misidentification HOT 13
- OpenSC in Firefox constantly sending SELECT(AID) APDUs for probing HOT 2
- Avoid non SELECT(AID) commands for probing HOT 28
- Install p11-kit configuration file HOT 1
- JPKI SELECT AID not following ISO standards HOT 1
- OpenSC 0.25.1 dmg not notarized correctly HOT 2
- SmartCard-HSM issue with Windows AD Smart Card Logon & Micrsoft Encrypting File System HOT 4
- SmartCard-HSM issue with Microsoft Word 2019 & Outlook 2019 HOT 2
- Receiving "No slots" output from pkcs11-tool at boot time HOT 4
- Importing encrypted RSA and plain RSA private keys in SmartCard-HSM HOT 6
- SmartCard-HSM Error creating HSM backup smart card HOT 2
- OpenPGP card v3.4 DestroyObject returns as ok, but does nothing HOT 1
- pkcs11-tool should provide an option to get slot information as pkcs11-uri HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.