I'm writing in response to this posting subject.. "Re: [Openvpn-devel] VERY weird interaction between openvpn and opensc-pkcs11"
When it comes to debugging problems inside OpenVPN and other FOSS software there is a lack of design information. Architecture diagram & Theory of Operation documents are a minimum starting point for those not directly involved in development. Do you have a link to these documents? These documents will greatly improve the way OpenVPN works and how it should be install and debugged. Cheers. ------------------------- John S. Wolter Mailto:johnswol...@wolterworks.com Desk Phone: 734-408-1263 Cell phone: 734-904-8433 USA, Eastern Standard Time, -5 GMT, -4 GMT DST - Cloud based web services - Virtual Office services - Software Development - Engineered applications On Thu, Nov 11, 2010 at 9:32 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > hi all, > > I just spent almost a day debugging a very weird interaction between > OpenVPN 2.1 and opensc-pkcs11 : > > Hardware: > a Feitian ePass smartcard with an Omnikey CardMan 3121 card reader > > Software: > openvpn 2.1.3 > opensc 0.12.0 (not officially released yet) > pkcs11-helper 1.07 > linux 2.6.34 64bit kernel (fc13) > > Here's what happens: > > openvpn starts up, queries me for the PKCS11 prompt, connection is > established alright. > When I look at the log file (with 'verb 99') I see that the pkcs11 > function __pkcs11h_forkFixup is called several times, with a different > pid=%d value every time. This is bad, as it causes opensc-pkcs11 to > reload the card every time (it calls C_Finalize then C_Initialize). This > operation is very expensive. > During key renegotiation it gets even worse, as openvpn prompts me for > the PIN again and connectivity is lost until I enter the PIN. > > Now here's the weirdest part: > > the __pkcs11h_forkFixup function is called after the invocation of an > external program (e.g. /sbin/ip link , /sbin/ip/addr add etc). If I use > script-security 2 system > the openvpn_execve function uses 'system()' calls to start these > programs and the problem goes away ! > > So it seems that openvpn's openvpn_execve fork+waitpid function causes > the program pid to change every time, triggering the reset of the pkcs11 > interface ! > > What shall we do about this? > > cheers, > > JJK / Jan Just Keijser > > > > > > > > ------------------------------------------------------------------------------ > Centralized Desktop Delivery: Dell and VMware Reference Architecture > Simplifying enterprise desktop deployment and management using > Dell EqualLogic storage and VMware View: A highly scalable, end-to-end > client virtualization framework. Read more! > http://p.sf.net/sfu/dell-eql-dev2dev > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
