Trying out a newer version of OpenVPN community edition (latest from the website) on windows 10 and running into problems with a config that works from 2.4.7. If I use the token with OpenVPN 2.4.7 it works as expected. On 2.5.1, I get a series of errors when using the pkcs11 method. The token works fine with cryptoapicert as the interface to the eToken.
cryptoapicert "SUBJ:officeVPN" However, if I use pkcs11-providers eTpkcs11.dll pkcs11-id 'pkcs11:model=eToken;token=..... (i.e the output of --show-pkcs11-ids) I enter the PIN, and its the right PIN as the fail count on the token doesn't go down. It just fails and asks for the PIN again. The pkcs11 fail bits from the log are below. Like I said, this same token works with the same config under 2.4.7 and works with 2.5.1 if I use it via cryptoapcicert. Any idea where / why I am getting those 2 errors using the pkcs11 method under 2.5.1 ? 2021-04-14 17:24:36 us=284747 SSL state (connect): TLSv1.3 read server certificate verify 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS read finished 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write change cipher spec 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write client certificate 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_openssl_rsa_enc entered - flen=256, from=00000000007968E0, to=0000000000795B10, rsa=000000000075EEE0, padding=3 2021-04-14 17:24:36 us=284747 PKCS#11: Performing signature 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signAny entry certificate=00000000007586B0, mech_type=3, source=00000000007968E0, source_size=0000000000000100, target=0000000000795B10, *p_target_size=0000000000000100 2021-04-14 17:24:36 us=284747 PKCS#11: Getting key attributes 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_certificate_getKeyAttributes entry certificate=00000000007586B0 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=000000000072E140, count=4 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_freeObjectAttributes return 2021-04-14 17:24:36 us=284747 PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID' 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=00000000007586B0, public_only=0, session_mutex_locked=1 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById entry session=0000000000759C40, class=3, id=000000000075F4A0, id_size=0000000000000008, p_handle=00000000007586C8 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry session=0000000000759C40 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1618435476 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects entry session=0000000000759C40, filter=000000000072E0C0, filter_attrs=2, p_objects=000000000072E0B8, p_objects_found=000000000072E0B4 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById return rv=0-'CKR_OK', *p_handle=02970005 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession return rv=0-'CKR_OK' 2021-04-14 17:24:36 us=284747 PKCS#11: Key attributes enforced by provider (00000002) 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=000000000072E140, count=4 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_freeObjectAttributes return 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_certificate_getKeyAttributes return rv=0-'CKR_OK' 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signRecover entry certificate=00000000007586B0, mech_type=3, source=00000000007968E0, source_size=0000000000000100, target=0000000000795B10, *p_target_size=0000000000000100 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_certificate_doPrivateOperation entry certificate=00000000007586B0, op=1, mech_type=3, source=00000000007968E0, source_size=0000000000000100, target=0000000000795B10, *p_target_size=0000000000000100 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_validateSession entry certificate=00000000007586B0 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry session=0000000000759C40 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1618435476 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_validateSession return rv=0-'CKR_OK' 2021-04-14 17:24:36 us=300419 PKCS#11: __pkcs11h_certificate_doPrivateOperation init rv=112 2021-04-14 17:24:36 us=300419 PKCS#11: Private key operation failed rv=112-'CKR_MECHANISM_INVALID' 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=00000000007586B0, public_only=0, session_mutex_locked=1 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_login entry session=0000000000759C40, is_publicOnly=0, readonly=1, user_data=0000000000000000, mask_prompt=00000003 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_logout entry session=0000000000759C40 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_logout return 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset entry session=0000000000759C40, user_data=0000000000000000, mask_prompt=00000003, p_slot=000000000072DC3C 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='SafeNet, Inc.' model='eToken', serialNumber='021c49f5', label='officetoken2b' 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList entry provider=000000000088D1A0, token_present=1, pSlotList=000000000072DAE0, pulCount=000000000072DADC 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=000000000072DAE8 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=000000000072DA40 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=00000000007D5120 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=00000000007D5120 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset Found token manufacturerID='SafeNet, Inc.' model='eToken', serialNumber='021c49f5', label='officetoken2b' 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=00000000007D5120 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId return 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0 2021-04-14 17:24:36 us=331784 PKCS#11: Calling pin_prompt hook for '' Enter officetoken2b token Password: _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
