OpenVPN, PKCS#11 and MacOSX

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenVPN, PKCS#11 and MacOSX

Hasso Tepper
Hi,

There have been many reports from MacOSX users during last years that
PKCS#11 support in OpenVPN is broken for them. The problem seems to be
related to forking (using execve()) and PKCS#11. Following post
describes the situation well:

http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick

PKCS#11 support is started, PIN is asked etc, during first execve()
(ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
from second execve() (ifconfig tun0 <address>...) it doesn't return. The
last line from pcscd log is "Client failed to authenticate".

Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
to use system() instead of execve() and it solves the problem.
Unfortunately support for system() is removed from 2.3.

Now, the question is what exactly is wrong? The very same conf works
with Linux/BSD. I suspect that it's something to do with old smartcard
related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
found out that there have been reports from users who are not using
opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
OpenVPN works fine for them. So, I suspect it's something opensc can fix.


Regards,

--
Hasso Tepper

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN, PKCS#11 and MacOSX

Alon Bar-Lev
Please send full debug log of openvpn.
Thanks.

On Wed, Feb 6, 2013 at 10:37 PM, Hasso Tepper <[hidden email]> wrote:

> Hi,
>
> There have been many reports from MacOSX users during last years that
> PKCS#11 support in OpenVPN is broken for them. The problem seems to be
> related to forking (using execve()) and PKCS#11. Following post
> describes the situation well:
>
> http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick
>
> PKCS#11 support is started, PIN is asked etc, during first execve()
> (ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
> from second execve() (ifconfig tun0 <address>...) it doesn't return. The
> last line from pcscd log is "Client failed to authenticate".
>
> Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
> to use system() instead of execve() and it solves the problem.
> Unfortunately support for system() is removed from 2.3.
>
> Now, the question is what exactly is wrong? The very same conf works
> with Linux/BSD. I suspect that it's something to do with old smartcard
> related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
> found out that there have been reports from users who are not using
> opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
> OpenVPN works fine for them. So, I suspect it's something opensc can fix.
>
>
> Regards,
>
> --
> Hasso Tepper
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN, PKCS#11 and MacOSX

Hasso Tepper
Alon Bar-Lev wrote:
> Please send full debug log of openvpn.

Attached.


Thanks,

--
Hasso Tepper

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

openvpn-log.txt.gz (16K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN, PKCS#11 and MacOSX

Alon Bar-Lev
This is not the usual log...
I cannot see option values, and I see communications before any
PKCS#11 call, and I do not see the PKCS#11 initialization...

But even with this data, please also provide full debug of opensc PKCS#11 log.

Thanks,
Alon

On Thu, Feb 7, 2013 at 10:49 AM, Hasso Tepper <[hidden email]> wrote:

> Alon Bar-Lev wrote:
>> Please send full debug log of openvpn.
>
> Attached.
>
>
> Thanks,
>
> --
> Hasso Tepper

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Fwd: OpenVPN, PKCS#11 and MacOSX

Ludovic Rousseau
---------- Forwarded message ----------
From: Ludovic Rousseau <[hidden email]>
Date: 2013/2/13
Subject: Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX
To: Hasso Tepper <[hidden email]>
Cc : OpenSC Development <[hidden email]>


2013/2/13 Alon Bar-Lev <[hidden email]>:
> Hi,

Hello,

> Problem seems to be in pcsc-lite.

Exact.

> Call to pcsc_disconnect is not returning.
>
> Ludovic, can you please take a look?
> This happens after standard sequence of fork() usage with PKCS#11,
> child process should finalize and initialize PKCS#11.

I can reproduce the problem using the PC/SC Unitary Test SCard_fork.py [1].
After the fork the application should not do any PC/SC call in the son
using the father PC/SC context. Otherwise the PC/SC calls in the
father will be blocked.

It is a bug in Apple PC/SC. The same Unitary Test works find on
GNU/Linux with a recent PC/SC lite.

I don't know if the bug is easy to circumvent in OpenSC. OpenSC would
have to detect the application has forked and forget about the PC/SC
context in the son. This may be done only in C_Finalize() and only for
Mac OS X.

Bye,

[1] http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/UnitaryTests/SCard_fork.py?view=markup

--
 Dr. Ludovic Rousseau


--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN, PKCS#11 and MacOSX

Lapidus05
This post has NOT been accepted by the mailing list yet.
In reply to this post by Hasso Tepper
My sister is visiting China soon and she wants a suitable china vpn service because her favorite sites are blocked over there. Also it will be hard for her to be in touch with us without having a VPN. I wonder if you can suggest a good service for her use.