2012/2/28 David Sommerseth <openvpn.l...@topphemmelig.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 28/02/12 19:17, Carsten Krüger wrote: >> Hello Alon, >> >> ABL> This is *THE* missing functionality in Windows environment. ABL> >> It seems that nobody interested in developing proper UI using ABL> >> management interface for Windows. ABL> Same goes to proper smartcard >> support. >> >> Developing the UI (command line) would be trivial but to my knowledge >> (I'm reading the mailinglist for last 7 years) there is no management >> interface in openvpn that would allow this. >> > > Have you seen this document? (management/management-notes.txt) > <http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob_plain;f=management/management-notes.txt;hb=master> > > Especially look for all the 'pkcs11' prefixed calls, like > pkcs11-id-count, pkcs11-id-get. Further James implemented a new feature > for the management interface where you can pass the certificate this way > too. Unfortunately, as Alon pointed out, this has not yet been > documented well - except in the commit log.
These features are mine. I wrote these.... and the whole PKCS#11 layer, and many other... like the ability to wrap the iproute2. They are good, but not great. Why? Because the openvpn daemon it-self loads the PKCS#11 provider. This is a security violation. The PKCS#11 provider should be loaded by the UI, so the daemon cannot interact with it at will. It also makes the security openvpn weaker, as foreign library is loaded into the openvpn process. And at Windows 7+ there is a problem, a service cannot access the smartcard readers of the users. And... even if it can (XP), you cannot use smartcard in remote desktop session. Alon.
