Hoi Hans,
On 15/10/19 09:26, j.witvl...@mindef.nl wrote:
Hi all,
We are about to change from one smartcard towards another, and our
team has been asked to verify whether it is compliant with some of the
applications we are responsible for.
Initially I was pretty confident that it would be a hasty, by smooth
transition. Reality proved me wrong with regards to openvpn…
It I was wondering if I might come against a label-length issue…
As always, under Linux, I perform:
“openvpn --show-pkcs11-ids /usr/local/lib/libCnfpkcs11.so”
And one of the strings it returns, I use in the openvpn-client config.
But now it fails in a ghostly fashion…
The server does not complain, but on the client side I noticed:
Mon Oct 14 14:40:25 2019 us=612269 TLS_ERROR: read tls_read_plaintext
error: RSA - Bad input parameters to function
Mon Oct 14 14:40:25 2019 us=612347 TLS Error: TLS object -> incoming
plaintext read error
Mon Oct 14 14:40:25 2019 us=612368 TLS Error: TLS handshake failed
Google gave some suggestions, that are all irrelevant:
·On both server and client side I’m running openvpn-NL-2.4.6
·It still works with old smartcard ( if I change the pkcs11-ids on
client-side, and the client-root-certificate on server side
So no conflict with mismatching cyphers, LZO, etc
·Still using sha256. Not suddenly using sha1 :-)
·Switched tls-verify off at either side
·The client-certificate was used successfully in
website-client-authentication
·If I change back, all still works with the old smartcard…
One of the observations I made was the length of what
“—show-pkcs11-ids” returns.
With the old card it used to be 50 long:
'/19C12006010D00C0/6034016789982337/Defensiepas/41'
But with the new card, it’s twice in length:
'IDEMIA/Defpas\x209528XXXX2/9066004707074907/Defpas\x209528XXXX200123456789/446566706173312041757468'
can you try running with
verb 7
or higher? that should show some pkcs11 debug messages - perhaps it will
give a clue where it's failing.
Also, which version of the pkcs11-helper library is used in OpenVPN-NL
2.4.6 ? is it linked statically or dynamically?
HTH,
JJK / Jan Just
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users