OpenVPN and aetpkss1.dll

[scull]

Hello,

I hope I am posting this at the right place. I'm having trouble to configure a Crescendo C700 smart card with OpenVPN, and I'm hoping that someone can help me. I haven't found nothing on internet to help me.

I am are actually using OpenVpn 2.1.4 on Windows 7 64bits environments for the clients, and on Linux for the server. I would like to secure the VPN access by storing the certificate and the private key of each user on a smart card.

I have a cresdendo c700 (card) and an Omnikey 3121 (reader). I am easily able to store a .p12 cert on the card, the problem is that I am unable to set up OpenVPN with the aetpkss1.dll PKCS11 provider, and I cannot use the openSC provider since the C700 is not supported :/

That is why, I would like to ask if someone has already tried to configure OpenVPN with aetpkss1.dl?

Here is the configuration I’ve tried in OpenVPN (I’ve tried lots of others as well):
pkcs11-providers "C:/WINDOWS/SYSTEM32/aetpkssw.dll"
pkcs11-id 'A\x2EE\x2ET\x2E\x20Europe\x20B\x2EV\x2E/19CB0006010D0000/0023003964951580/Crescendo\x20C700/3829C2E012CE8AF1A1A802007704B6944790DD2E'
askpass

The problem is that, with all the config I've tried, the client is not responding after it prints the following outputs:
Fri Mar 18 14:30:31 2011 TLS: Initial packet from 192.168.187.176:1194, sid=1934f246 d579a39d
Fri Mar 18 14:30:31 2011 VERIFY OK: depth=1, /***
Fri Mar 18 14:30:31 2011 VERIFY OK: nsCertType=SERVER
Fri Mar 18 14:30:31 2011 VERIFY OK: depth=0, /***

Hope someone can help
Thanks a lot

[janjust]

from your output I gather you've managed to find the pkcs11 serialized ID for your card ; how are you starting OpenVPN? the GUI does not work well with OpenVPN + pkcs11, the next generation GUI will hopefully fix that.

A handy trick to use is to use the Windows CryptoAPI store - most cards on windows allow you to "copy" the certificates into the CryptoAPI store. You can then configure OpenVPN to retrieve the credentials from there. Instead of using the 'pkcs11' options, use

Code: Select all

cryptoapicert "SUBJ:name of cert"

[scull]

Thanks for this quick answer

Indeed, I am using the GUI. I have so tried your solution.
I wasn't able to fix it using the command

Code: Select all

crytoapicert "SUBJ:.."

, but it perfectly works when I use

Code: Select all

cryptoapicert "THUMB:6d .."

.

In fact, I'm not sure of the informations I have to put in the first command. I have tried with the name of the certificate.

Just an another question. Do you know if there is a command which will immediately stop the VPN if I remove the card?

Anyway, that helps me a lot.

[scull]

In fact, the following command does not work if I use the cryto api..

Code: Select all

pkcs11-pin-cache 300

[janjust]

the 'pkcs11-*' command are purely for the pkcs11 interface, not for the cryptoapi i/f ;
it's quite hard to get the VPN to stop immediately after you remove the card - you'd have to build in some script which triggers a disconnect when the card is removed. Another option is to set the rekeying interval that openvpn uses to a shorter period (default = 1 hour) . Rekeying is "expensive", however, so it will affect the performance of your VPN. Read the manual pages on 'reneg-sec 600' (= 10 minutes).