Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No PIN entry with OpenVPN and OpenSC PKCS#11 module (Windows 7 x64) #142

Closed
neuro18 opened this issue Mar 15, 2013 · 13 comments
Closed

No PIN entry with OpenVPN and OpenSC PKCS#11 module (Windows 7 x64) #142

neuro18 opened this issue Mar 15, 2013 · 13 comments

Comments

@neuro18
Copy link

neuro18 commented Mar 15, 2013

Hello.

I set up my OpenVPN Windows 7 x64 client to authorize with private key and certificate stored onto my OpenPGP v2 GPF CryptoStick 1.2 smart-card. But the OpenVPN connection fails at client's certificate verification phase. Smart-card's activity LED indicator lights up, but a PIN entry dialog never appears.

In use:

  • Windows 7 x64 Pro;
  • OpenVPN 2.3.0 x86_64-w64-mingw32;
  • OpenSC 0.13.0 x64 (x32 version returns command "openvpn --show-pkcs11-ids opensc-pkcs11.dll" with error, so simply not usable in my case);
  • 4096-bit RSA Auth key with respected self-signed certificate onto smart-card.

OpenVPN auth configuration:

ca ca.crt
pkcs11-providers C:\\Windows\\System32\\opensc-pkcs11.dll
pkcs11-id 'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'

OpenVPN log:

Fri Mar 15 22:12:30 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar  7 2013
Enter Management Password:
Fri Mar 15 22:12:30 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 Need hold release from management interface, waiting...
Fri Mar 15 22:12:30 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'state on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'log all on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold off'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold release'
Fri Mar 15 22:12:30 2013 PKCS#11: Adding PKCS#11 provider 'C:\Windows\System32\opensc-pkcs11.dll'
Fri Mar 15 22:12:34 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,RESOLVE,,,
Fri Mar 15 22:12:34 2013 UDPv4 link local (bound): [undef]
Fri Mar 15 22:12:34 2013 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,WAIT,,,
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,AUTH,,,
Fri Mar 15 22:12:34 2013 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=d3a3dde8 f91fbcc8
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=1, C=XXX, ST=XXX, L=XXX, O=XXX
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=0, C=XXX, ST=XXX, O=XXX, CN=XXX
Fri Mar 15 22:12:42 2013 PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
Fri Mar 15 22:12:42 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Fri Mar 15 22:12:42 2013 TLS Error: TLS object -> incoming plaintext read error
Fri Mar 15 22:12:42 2013 TLS Error: TLS handshake failed
Fri Mar 15 22:12:42 2013 SIGTERM[hard,tls-error] received, process exiting
Fri Mar 15 22:12:42 2013 MANAGEMENT: >STATE:1363371162,EXITING,tls-error,,

OpenSC PKCS#11 dll module log:

http://pastebin.com/s4czqnEe

What can be done to resolve the issue?

Thanks in advance!
@alonbl
Copy link
Member

alonbl commented Mar 15, 2013

Is this openvpn as service?

On Fri, Mar 15, 2013 at 8:59 PM, neuro18 notifications@github.com wrote:

Hello.

I set up my OpenVPN Windows 7 x64 client to authorize with private key and
certificate stored onto my OpenPGP v2 GPF CryptoStick 1.2 smart-card. But
the OpenVPN connection fails at client's certificate verification phase.
Smart-card's activity LED indicator lights up, but a PIN entry dialog never
appears.

In use:

Windows 7 x64 Pro;
OpenVPN 2.3.0 x86_64-w64-mingw32;
OpenSC 0.13.0 x64 (x32 version returns command "openvpn --show-pkcs11-ids
opensc-pkcs11.dll" with error, so simply not usable in my case);
4096-bit RSA Auth key with respected self-signed certificate onto
smart-card.

OpenVPN auth configuration:

ca ca.crt
pkcs11-providers C:\Windows\System32\opensc-pkcs11.dll
pkcs11-id
'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'

OpenVPN log:

Fri Mar 15 22:12:30 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)]
[LZO] [PKCS11] [eurephia] [IPv6] built on Mar 7 2013
Enter Management Password:
Fri Mar 15 22:12:30 2013 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 Need hold release from management interface,
waiting...
Fri Mar 15 22:12:30 2013 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'state on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'log all on'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold off'
Fri Mar 15 22:12:30 2013 MANAGEMENT: CMD 'hold release'
Fri Mar 15 22:12:30 2013 PKCS#11: Adding PKCS#11 provider
'C:\Windows\System32\opensc-pkcs11.dll'
Fri Mar 15 22:12:34 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,RESOLVE,,,
Fri Mar 15 22:12:34 2013 UDPv4 link local (bound): [undef]
Fri Mar 15 22:12:34 2013 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,WAIT,,,
Fri Mar 15 22:12:34 2013 MANAGEMENT: >STATE:1363371154,AUTH,,,
Fri Mar 15 22:12:34 2013 TLS: Initial packet from
[AF_INET]XXX.XXX.XXX.XXX:1194, sid=d3a3dde8 f91fbcc8
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=1, C=XXX, ST=XXX, L=XXX, O=XXX
Fri Mar 15 22:12:34 2013 VERIFY OK: depth=0, C=XXX, ST=XXX, O=XXX, CN=XXX
Fri Mar 15 22:12:42 2013 PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
Fri Mar 15 22:12:42 2013 TLS_ERROR: BIO read tls_read_plaintext error:
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Fri Mar 15 22:12:42 2013 TLS Error: TLS object -> incoming plaintext read
error
Fri Mar 15 22:12:42 2013 TLS Error: TLS handshake failed
Fri Mar 15 22:12:42 2013 SIGTERM[hard,tls-error] received, process exiting
Fri Mar 15 22:12:42 2013 MANAGEMENT: >STATE:1363371162,EXITING,tls-error,,

OpenSC PKCS#11 dll module log:

http://pastebin.com/s4czqnEe

What can be done to resolve the issue?

Thanks in advance!


Reply to this email directly or view it on GitHub.

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

No.

It's a default installation of OpenVPN under Windows. It installs OpenVPN service, but when I successfully connect to my OpenVPN server (running on Synology DiskStation at home LAN) using cert and private key directly from files, the service is not running at that time. I think it starts only when you want to use your machine as OpenVPN server, but not just a client.

Also, there is a "tls-client" option in my .ovpn config file, if it matters.

@alonbl
Copy link
Member

alonbl commented Mar 16, 2013

How do you run openvpn exactly?

On Sat, Mar 16, 2013 at 10:55 AM, neuro18 notifications@github.com wrote:

No.

It's a default installation of OpenVPN under Windows. It installs OpenVPN
service, but when I successfully connect to my OpenVPN server (running on
Synology DiskStation at home LAN) using cert and private key directly from
files, the service is not running at that time. I think it starts only when
you want to use your machine as OpenVPN server, but not just a client.


Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15001712
.

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

Through the OpenVPN GUI with the following .ovpn config:

dev tun
tls-client

remote [my_remote_server] 1194

redirect-gateway

pull

proto udp
script-security 2

auth SHA512
cipher AES-256-CBC
tls-auth ta.key 1

dh dh2048.pem
ca ca.crt
pkcs11-providers C:\\Windows\\System32\\opensc-pkcs11.dll
pkcs11-id 'ZeitControl/PKCS\x2315\x20emulated/000500001469/OpenPGP\x20card\x20\x28User\x20PIN\x29/03'

verb 3

comp-lzo

reneg-sec 0

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

Maybe it's somehow connected with issue I mentioned here: #125 ,
the smart-card has 2 slots, I need to use the second one only, but can't disable the first one (even with the "create_slots_for_pins" option).

@alonbl
Copy link
Member

alonbl commented Mar 16, 2013

For using PKCS#11 via the gui, you need to use the management interface. A
sample is available for *NIX[1].

[1] https://sites.google.com/site/alonbarlev/openvpn-pkcs11

On Sat, Mar 16, 2013 at 5:58 PM, neuro18 notifications@github.com wrote:

Maybe it's somehow connected with issue I mentioned here: #125#125,
the smart-card has 2 slots, I need to use the second one only, but can't
disable the first one (even with the "create_slots_for_pins" option).


Reply to this email directly or view it on GitHubhttps://github.com//issues/142#issuecomment-15007072
.

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that using these two options should be enough:

A typical set of OpenVPN options for PKCS#11

    pkcs11-providers /usr/lib/pkcs11/
    pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'

Not a word about service/gui run mode.

I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?

@alonbl
Copy link
Member

alonbl commented Mar 16, 2013

On Sat, Mar 16, 2013 at 11:49 PM, neuro18 notifications@github.com wrote:

@alonbl
Official OpenVPN HOW-TO (http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config) states that the following should be enough:

A typical set of OpenVPN options for PKCS#11

pkcs11-providers /usr/lib/pkcs11/
pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'

Not a word about service/gui run mode.

I'm not a programmer, just an end user. Can you (or someone else) give a simple, step-by-step instruction of how to befriend my smart-card and OpenVPN under Windows 7, if there's no bug in PKCS#11 OpenSC module itself?

You should ask the openvpn mailing list.
For years the openvpn GUI was not maintained, not progressed to use
the management interface, the last year someone else took it and
should fix it properly to interact with openvpn properly to present
the PKCS#11 prompts.

You can try as administrator to run openvpn manually as interactive
program, you should be able to provide the PIN in this mode.

Regards,
Alon

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

@alonbl
I understand what you meant by asking 'service' or 'GUI'. I run OpenVPN simply in Windows command prompt

openvpn --config [myconfig.ovpn] --verb 3

and was asked for PIN and then successfully authorized. Well, just in case, will be waiting for a new GUI with PIN entry dialog support.

Alon, thank you so much!

@neuro18
Copy link
Author

neuro18 commented Mar 16, 2013

Issue is closed. No developers attention required.

@neuro18 neuro18 closed this as completed Mar 16, 2013
@dzhus
Copy link

dzhus commented Apr 24, 2015

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service (under Linux)?

@dengert
Copy link
Member

dengert commented Apr 25, 2015

On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?

That sounds like a OpenVPN issue. With PKCS#11 the PIN is obtained by the application, then passed
to PKCS#11 via C_Login.


Reply to this email directly or view it on GitHub #142 (comment).

Douglas E. Engert DEEngert@gmail.com

@alonbl
Copy link
Member

alonbl commented Apr 25, 2015

On 25 April 2015 at 06:03, Doug Engert notifications@github.com wrote:

On 4/24/2015 6:16 PM, Dmitry Dzhus wrote:

What can be done to enable pin entry dialog when an openvpn client instance is run as a background service?

Use the management interface[1][2], this enables support of card
removal/replace PIN expiration and more.
Smartcards are dynamic device.

[1] https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt
[2] https://sites.google.com/site/alonbarlev/openvpn-pkcs11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dzhus @dengert @alonbl @neuro18