FreeBSD and Nitrokey (PKCS11) certificate not working

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dms
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2017 3:38 pm

FreeBSD and Nitrokey (PKCS11) certificate not working

Post by dms » Fri Jan 27, 2017 4:13 pm

I have an OpenVPN server (openvpn 2.3.11 on FreeBSD 10.3) which is running fine for Windows and FreeBSD clients using standard generated certificates.

The server is also running fine for Windows clients using keys stored on Nitrokeys.

However I am not able to connect to the server using a Nitrokey to hold the certificate using FreeBSD 10.3 (or 11) with OpenVPN 2.3.14 as the client and using opensc0.16

The key is accessible and on FreeBSD 10.3

Code: Select all

openvpn --show-pkcs11-ids /usr/local/lib/opensc-pkcs11.so
Shows the certificate is present with populated DN, Serial and Serialized id.

If I try connecting to the server with the config settings

Code: Select all

pkcs11-providers /usr/local/lib/opensc-pkcs11.so
pkcs11-id 'SERIAL'
I am prompted for user/password as usual, then I am prompted for

Code: Select all

Enter OpenPGP card (User PIN) token Password:
And on entering correct the password the connection proceeds but then stops with

Code: Select all

/sbin/ifconfig tun0 10.10.0.142 10.10.0.141 mtu 1500 netmask 255.255.255.255 up
PKCS#11: __pkcs11h_forkFixup entry pid=2318, activate_slotevent=1
There is no error message as such.

At this stage there are two processes

Code: Select all

root         2294   0.0  0.1   40512   8000  0  I+    3:44PM   0:00.04 openvpn --config openvpn.test
root         2295   0.0  0.1   40512   7996  0  I+    3:44PM   0:00.00 openvpn --config openvpn.test
A connection is never made and no routing is set up

i.e. netstat -rn shows

Code: Select all

Routing tables

Internet:

Destination        Gateway            Flags      Netif Expire
default            192.168.0.1        UGS        bge0
127.0.0.1          link#2             UH          lo0
192.168.0.0/24     link#1             U          bge0
192.168.0.81       link#1             UHS         lo0

Using the exact same client and server and using

Code: Select all

ca ca.crt
cert keyname.crt
key keyname.key
With valid keys works absolutely fine so clearly something specific to the PKCS#11 settings is causing issues which appear to stall at setting up the routing.

The server OpenVPN logs do not show anything usual that I can see to compare it to a normal connection (other than there are no read events as nothing is being sent back I assume).

Any suggestions?

Is this related to the discussion here http://www.sparklabs.com/forum/viewtopi ... 4806#p4823 about pkcs11-helper crashing when using threads?
Top
dms
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2017 3:38 pm

Re: FreeBSD and Nitrokey (PKCS11) certificate not working

Post by dms » Fri Jan 27, 2017 4:30 pm

//edit - answered my own question

Yes it is to do with that post

rebuilding pkcs-helper with

Code: Select all

CONFIGURE_ARGS= --disable-crypto-engine-gnutls \
                --disable-crypto-engine-nss \
                --disable-threading \
                --disable-slotevent
Got the connection working using the nitrokey!
Top
Post Reply

Return to “Server Administration”