Re: [Openvpn-users] Smartcard based certificate OR: object length

Wed, 16 Oct 2019 03:24:40 -0700 

Hoi Hans,

On 15/10/19 09:26, j.witvl...@mindef.nl wrote:


Hi all,


We are about to change from one smartcard towards another, and our 
team has been asked to verify whether it is compliant with some of the 
applications we are responsible for.



Initially I was pretty confident that it would be a hasty, by smooth 
transition. Reality proved me wrong with regards to openvpn…


It I was wondering if I might come against a label-length issue…

As always, under Linux, I perform:

“openvpn --show-pkcs11-ids /usr/local/lib/libCnfpkcs11.so”

And one of the strings it returns, I use in the openvpn-client config.

But now it fails in a ghostly fashion…

The server does not complain, but on the client side I noticed:


Mon Oct 14 14:40:25 2019 us=612269 TLS_ERROR: read tls_read_plaintext 
error: RSA - Bad input parameters to function



Mon Oct 14 14:40:25 2019 us=612347 TLS Error: TLS object -> incoming 
plaintext read error


Mon Oct 14 14:40:25 2019 us=612368 TLS Error: TLS handshake failed

Google gave some suggestions, that are all irrelevant:

·On both server and client side I’m running openvpn-NL-2.4.6


·It still works with old smartcard ( if I change the pkcs11-ids on 
client-side, and the client-root-certificate on server side

So no conflict with mismatching cyphers, LZO, etc

·Still using sha256. Not suddenly using sha1 :-)

·Switched tls-verify off at either side


·The client-certificate was used successfully in 
website-client-authentication


·If I change back, all still works with the old smartcard…


One of the observations I made was the length of what 
“—show-pkcs11-ids” returns.


With the old card it used to be 50 long:

'/19C12006010D00C0/6034016789982337/Defensiepas/41'

But with the new card, it’s twice in length:

'IDEMIA/Defpas\x209528XXXX2/9066004707074907/Defpas\x209528XXXX200123456789/446566706173312041757468'



can you try running with
  verb 7

or higher? that should show some pkcs11 debug messages - perhaps it will 
give a clue where it's failing.
Also, which version of the pkcs11-helper library is used in OpenVPN-NL 
2.4.6 ?  is it linked statically or dynamically?


HTH,

JJK / Jan Just


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to