OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

andres.moya · Post by **andres.moya** » Tue Mar 02, 2021 9:40 pm

Hi,

I am trying to fix my TPM setup that stopped working recently. It was due update of either pfSense (and underlying openssl) or my windows 10.

I followed few manuals 2 years ago how to set up. No, certs didn't expire. And it was working till last weekend.

It halt on:

Code: Select all

2021-03-02 13:29:50 us=608868 cryptoapicert: enter pkey_rsa_sign_init
2021-03-02 13:29:50 us=608868 cryptoapicert: PSS padding using saltlen = 32
2021-03-02 13:29:50 us=608868 cryptoapicert: calling priv_enc_CNG with alg = SHA256
2021-03-02 13:29:50 us=608868 Signing hash using CNG: data size = 32 padding = 8
2021-03-02 13:29:50 us=979453 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.
2021-03-02 13:29:50 us=979453 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2021-03-02 13:29:50 us=995080 TLS_ERROR: BIO read tls_read_plaintext error
2021-03-02 13:29:50 us=995080 TLS Error: TLS object -> incoming plaintext read error
2021-03-02 13:29:50 us=995080 TLS Error: TLS handshake failed
2021-03-02 13:29:50 us=995080 Fatal TLS error (check_tls_errors_co), restarting

Most important lines of client config that was there for a while:

Code: Select all

persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA512
tls-client
client

cryptoapicert "THUMB:******************************************"

I ve tried to recreate TPM Virtual card, regerated certs. Same result.

Will appreciate if anyone can give a hint what direction to start.

TinCanTech · Post by **TinCanTech** » Tue Mar 02, 2021 10:35 pm

andres.moya wrote: ↑
Tue Mar 02, 2021 9:40 pm
Will appreciate if anyone can give a hint

andres.moya wrote: ↑
Tue Mar 02, 2021 9:40 pm
2021-03-02 13:29:50 us=979453 OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Old smart card ?

It is possible that the requested feature is something that your card does support but is being called incorrectly.
It is also possible that your card is too old to support the requested feature .. check Windows 10 support for your card.

Update Windows and OpenVPN and any drivers required for your smart card.

Hope and pray .. recite what-ever incantation

works for you ..

becm · Post by **becm** » Wed Mar 10, 2021 11:31 pm

Very much sounds like Issue 1296.
This would indeed imply the hardware or driver is too old to support PSS padding (which is used according to logs here).

As mentioned in the above ticket there is currently no option inhibit PSS padding with TLS 1.2 and OpenSSL 1.1.1.

You could try to (temporarily) enforce TLS 1.1 to verify this is indeed the (only) issue.
Only long term solution (also in wake of TLS 1.3) will be to use more up to date hardware (unless a driver update is sufficient/available).

OpenVPN Support Forum

OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.