FreeBSD and Nitrokey (PKCS11) certificate not working
Posted: Fri Jan 27, 2017 4:13 pm
I have an OpenVPN server (openvpn 2.3.11 on FreeBSD 10.3) which is running fine for Windows and FreeBSD clients using standard generated certificates.
The server is also running fine for Windows clients using keys stored on Nitrokeys.
However I am not able to connect to the server using a Nitrokey to hold the certificate using FreeBSD 10.3 (or 11) with OpenVPN 2.3.14 as the client and using opensc0.16
The key is accessible and on FreeBSD 10.3
Shows the certificate is present with populated DN, Serial and Serialized id.
If I try connecting to the server with the config settings
I am prompted for user/password as usual, then I am prompted for
And on entering correct the password the connection proceeds but then stops with
There is no error message as such.
At this stage there are two processes
A connection is never made and no routing is set up
i.e. netstat -rn shows
Using the exact same client and server and using
With valid keys works absolutely fine so clearly something specific to the PKCS#11 settings is causing issues which appear to stall at setting up the routing.
The server OpenVPN logs do not show anything usual that I can see to compare it to a normal connection (other than there are no read events as nothing is being sent back I assume).
Any suggestions?
Is this related to the discussion here http://www.sparklabs.com/forum/viewtopi ... 4806#p4823 about pkcs11-helper crashing when using threads?
The server is also running fine for Windows clients using keys stored on Nitrokeys.
However I am not able to connect to the server using a Nitrokey to hold the certificate using FreeBSD 10.3 (or 11) with OpenVPN 2.3.14 as the client and using opensc0.16
The key is accessible and on FreeBSD 10.3
Code: Select all
openvpn --show-pkcs11-ids /usr/local/lib/opensc-pkcs11.soIf I try connecting to the server with the config settings
Code: Select all
pkcs11-providers /usr/local/lib/opensc-pkcs11.so
pkcs11-id 'SERIAL'
Code: Select all
Enter OpenPGP card (User PIN) token Password:Code: Select all
/sbin/ifconfig tun0 10.10.0.142 10.10.0.141 mtu 1500 netmask 255.255.255.255 up
PKCS#11: __pkcs11h_forkFixup entry pid=2318, activate_slotevent=1At this stage there are two processes
Code: Select all
root 2294 0.0 0.1 40512 8000 0 I+ 3:44PM 0:00.04 openvpn --config openvpn.test
root 2295 0.0 0.1 40512 7996 0 I+ 3:44PM 0:00.00 openvpn --config openvpn.testi.e. netstat -rn shows
Code: Select all
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGS bge0
127.0.0.1 link#2 UH lo0
192.168.0.0/24 link#1 U bge0
192.168.0.81 link#1 UHS lo0
Using the exact same client and server and using
Code: Select all
ca ca.crt
cert keyname.crt
key keyname.key
The server OpenVPN logs do not show anything usual that I can see to compare it to a normal connection (other than there are no read events as nothing is being sent back I assume).
Any suggestions?
Is this related to the discussion here http://www.sparklabs.com/forum/viewtopi ... 4806#p4823 about pkcs11-helper crashing when using threads?