Your message dated Tue, 24 Feb 2026 17:50:08 +0100
with message-id <[email protected]>
and subject line Re: Bug#1125519: (no subject)
has caused the Debian Bug report #1125519,
regarding GnuTLS / SafeSign IC 3.8.0.0 PKCS#11 module incompatibility
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125519
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls30
Version: 3.8.11-3
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I've discovered an incompatibility between GnuTLS 3.8.11 and SafeSign IC
3.8.0.0 PKCS#11 module that prevents the use of SafeSign tokens with
applications like OpenConnect VPN.
## Problem Description
When GnuTLS attempts to initialize the SafeSign PKCS#11 module, it fails
with "Thread locking error" because SafeSign returns CKR_NEED_TO_CREATE_THREADS
(0x09) when it receives the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag.
This is contradictory behavior: the module is saying "I need to create threads"
when explicitly told "you cannot create threads". However, SafeSign works
correctly when initialized with flags=0.
## Steps to Reproduce
1. Install SafeSign IC 3.8.0.0 driver (libaetpkss.so)
2. Insert a SafeSign token (e.g., G&D StarSign CUT S)
3. Try to use the token with OpenConnect or any GnuTLS-based application
4. Observe "Cannot initialize PKCS #11 module" error
## Testing
Direct testing shows the issue:
```c
CK_C_INITIALIZE_ARGS args = {NULL, NULL, NULL, NULL,
CKF_OS_LOCKING_OK |
CKF_LIBRARY_CANT_CREATE_OS_THREADS,
NULL};
rv = C_Initialize(&args);
// SafeSign returns: 0x00000009 (CKR_NEED_TO_CREATE_THREADS)
args.flags = 0;
rv = C_Initialize(&args);
// SafeSign returns: 0x00000000 (CKR_OK)
```
## Proposed Solution
Add a fallback for CKR_NEED_TO_CREATE_THREADS similar to the existing
CKR_CANT_LOCK fallback. When a module returns CKR_NEED_TO_CREATE_THREADS,
retry initialization with flags=0.
I've attached a patch that implements this solution. The patch:
- Maintains compatibility with conforming PKCS#11 modules
- Enables support for SafeSign and potentially other non-conforming modules
- Follows the same pattern as the existing CKR_CANT_LOCK fallback
- Has been tested successfully with SafeSign tokens
## Impact
This issue affects users of:
- SafeSign tokens (common in Brazilian government/corporate environments)
- OpenConnect VPN with certificate authentication
- Any GnuTLS-based application using PKCS#11
## Environment
- Debian: Sid/Forky
- GnuTLS: 3.8.11-3
- SafeSign: IC Standard Linux 3.8.0.0
- Token: Giesecke & Devrient StarSign CUT S
- Certificate: ICP-Brasil (Brazilian PKI)
## Additional Information
The issue does NOT occur with:
- pkcs11-tool (OpenSC) - works correctly
- GnuTLS 3.7.x (Debian Trixie) - works correctly
This suggests the issue was introduced in GnuTLS 3.8.x or that 3.7.x had
more lenient initialization logic.
## Documentation
Complete investigation and testing documentation available at:
https://github.com/dataprev/vpn-safesign-gnutls (if published)
The investigation took approximately 8 hours and included:
- Analysis of GnuTLS source code
- Testing with multiple PKCS#11 modules
- Comparison between GnuTLS 3.7.x and 3.8.x
- Validation with real-world VPN usage
## Patch
Please find attached the patch file:
0001-pkcs11-Add-fallback-for-CKR_NEED_TO_CREATE_THREADS.patch
The patch is minimal (7 lines) and follows GnuTLS coding standards.
Thank you for maintaining GnuTLS in Debian!
Best regards,
Claudio Ferreira Filho
--- End Message ---
--- Begin Message ---
Version: 3.8.12
On 2026-01-16 Claudio Ferreira Filho via Pkg-gnutls-maint
<[email protected]> wrote:
> Dear Andreas,
> Thank you for promptly forwarding my bug report to the GnuTLS upstream team.
> I appreciate your help in getting this issue addressed properly.
> The merge request !2049 by Daiki Ueno looks like it will solve the
> SafeSign compatibility issue perfectly.
The respective change is included in 3.8.12.
cu Andreas
--- End Message ---
