Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS11 no longer works in newer version #505

Open
amin1best opened this issue Feb 20, 2024 · 5 comments
Open

PKCS11 no longer works in newer version #505

amin1best opened this issue Feb 20, 2024 · 5 comments

Comments

@amin1best
Copy link

Hi,
Is there a plan to support Trusted Platform Module (TPM) in the next release?
Thanks.
@schwabe
Copy link
Contributor

schwabe commented Feb 20, 2024

On what platform and on what capacity? It might be already support or not depending what you actually are looking for. E.g. https://github.com/tpm2-software/tpm2-openssl should already work with OpenVPN.

@amin1best
Copy link
Author

I used tpm2-pkcs11 in old versions, but it does not work in the new version of OpenVPN. Would it be possible for you to explain step by step how I can use tpm2-openssl in OpenVPN or at least guide me.

@schwabe
Copy link
Contributor

schwabe commented Feb 22, 2024
edited

pkcs11 is should be supported in the old and new version. And also say what old and new version are. So if it doesn't work anymore that is a regression. But you need to provide more input here. Give us a log from the old version and the new version, so we can have an idea what is different. As for helping with tmp2-openssl, I never used that myself, so I cannot help there. But OpenSSL providers work in general, so that one should also work.

@schwabe schwabe changed the title OpenVPN TPM Support PKCS11 no longer works in newer version Feb 22, 2024
@amin1best
Copy link
Author

I think the problem is not OpenVPN and tpm2-pkcs11 doesn't work with OpenSSL 3. The new version means the version of OpenVPN that has migrated to OpenSSL 3.
To use tpm2-pkcs11 in OpenVPN, I used the following command:

openvpn --config ./openvpn.config --ca ./connection.crt --pkcs11-providers /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1 --pkcs11-id "$URL"

The question is, what command should I use in OpenVPN to use tpm2-openssl? Or with what command in general how to introduce TPM to OpenVPN? Even without PKCS11.

@selvanair
Copy link
Contributor

The question is, what command should I use in OpenVPN to use tpm2-openssl? Or with what command in general how to introduce TPM to OpenVPN? Even without PKCS11.

As tpm2-openssl can encapsulate the key in a pem file with TSS2 PRIVATE KEY header, I think you can just use the key and corresponding cert as you would do with normal key and cert files in pem format. However, you will need to add --providers tpm2 default to the comand line or in the config file.

Here is a minimal example (untested)

$ cat client.conf
client
dev tun
providers tpm2 default
ca ca.crt
cert mycert.crt
key mykey.pem  # this is a TSS2 PRIVATE KEY protected by TPM
remote myserver.foo.bar

$ sudo openvpn --config client.conf

@TinCanTech TinCanTech mentioned this issue Feb 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schwabe @selvanair @amin1best