Page 1 of 1

FreeBSD and Nitrokey (PKCS11) certificate not working

Posted: Fri Jan 27, 2017 4:13 pm
by dms
I have an OpenVPN server (openvpn 2.3.11 on FreeBSD 10.3) which is running fine for Windows and FreeBSD clients using standard generated certificates.

The server is also running fine for Windows clients using keys stored on Nitrokeys.

However I am not able to connect to the server using a Nitrokey to hold the certificate using FreeBSD 10.3 (or 11) with OpenVPN 2.3.14 as the client and using opensc0.16

The key is accessible and on FreeBSD 10.3

Code: Select all

openvpn --show-pkcs11-ids /usr/local/lib/
Shows the certificate is present with populated DN, Serial and Serialized id.

If I try connecting to the server with the config settings

Code: Select all

pkcs11-providers /usr/local/lib/
pkcs11-id 'SERIAL'
I am prompted for user/password as usual, then I am prompted for

Code: Select all

Enter OpenPGP card (User PIN) token Password:
And on entering correct the password the connection proceeds but then stops with

Code: Select all

/sbin/ifconfig tun0 mtu 1500 netmask up
PKCS#11: __pkcs11h_forkFixup entry pid=2318, activate_slotevent=1
There is no error message as such.

At this stage there are two processes

Code: Select all

root         2294   0.0  0.1   40512   8000  0  I+    3:44PM   0:00.04 openvpn --config openvpn.test
root         2295   0.0  0.1   40512   7996  0  I+    3:44PM   0:00.00 openvpn --config openvpn.test
A connection is never made and no routing is set up

i.e. netstat -rn shows

Code: Select all

Routing tables


Destination        Gateway            Flags      Netif Expire
default          UGS        bge0          link#2             UH          lo0     link#1             U          bge0       link#1             UHS         lo0

Using the exact same client and server and using

Code: Select all

ca ca.crt
cert keyname.crt
key keyname.key
With valid keys works absolutely fine so clearly something specific to the PKCS#11 settings is causing issues which appear to stall at setting up the routing.

The server OpenVPN logs do not show anything usual that I can see to compare it to a normal connection (other than there are no read events as nothing is being sent back I assume).

Any suggestions?

Is this related to the discussion here ... 4806#p4823 about pkcs11-helper crashing when using threads?

Re: FreeBSD and Nitrokey (PKCS11) certificate not working

Posted: Fri Jan 27, 2017 4:30 pm
by dms
//edit - answered my own question

Yes it is to do with that post

rebuilding pkcs-helper with

Code: Select all

CONFIGURE_ARGS= --disable-crypto-engine-gnutls \
                --disable-crypto-engine-nss \
                --disable-threading \
Got the connection working using the nitrokey!