Thank you very much for the analysis and pointer. The application is a kiosk type environment and for a number of reasons, the windows dialog PIN popping up is not workable. Its been a while since I built OpenVPN from source, but I imagine I could roll a version of the OpenSSL.DLL that would max out at TLS 1.2 or at least default to that ?
---Mike On 4/14/2021 7:16 PM, Selva Nair wrote: > Hi, > > As per the logs its requesting unpadded signature of size 256 (padding > = 3) which is expected with OpenSSL 1.1.1 and TLS 1.2 or 1.3 as the it > requires PSS padded signature and OpenSSL provides the padded data to > sign with padding = NONE. My guess would be that your hardware token > doesn't support signing pre-padded data. > > In case cryptoapi, we pass in the unpadded data and the padding type, > so that both padding and signing is handled by the cryptography > provider (token's dll through Windows). > > 2.4.7 is built with older OpenSSL that does not support TLS 1.3 and > doe snot use PSS padding by default. For newer releases, there is a > work around like use TLS1.2 and configure OpenSSL to not negotiate PSS > padding with the server[1], but why not use cryptoapi as it works? > > Selva > > [1] https://community.openvpn.net/openvpn/ticket/1296#comment:12 > <https://community.openvpn.net/openvpn/ticket/1296#comment:12> > > On Wed, Apr 14, 2021 at 6:03 PM mike tancsa <m...@sentex.net > <mailto:m...@sentex.net>> wrote: > > > Trying out a newer version of OpenVPN community edition (latest > from the > website) on windows 10 and running into problems with a config that > works from 2.4.7. If I use the token with OpenVPN 2.4.7 it works as > expected. On 2.5.1, I get a series of errors when using the pkcs11 > method. The token works fine with cryptoapicert as the interface > to the > eToken. > > cryptoapicert "SUBJ:officeVPN" > > However, if I use > > pkcs11-providers eTpkcs11.dll > pkcs11-id 'pkcs11:model=eToken;token=..... > > (i.e the output of --show-pkcs11-ids) > > > I enter the PIN, and its the right PIN as the fail count on the token > doesn't go down. It just fails and asks for the PIN again. The pkcs11 > fail bits from the log are below. Like I said, this same token works > with the same config under 2.4.7 and works with 2.5.1 if I use it via > cryptoapcicert. Any idea where / why I am getting those 2 errors using > the pkcs11 method under 2.5.1 ? > > > > 2021-04-14 17:24:36 us=284747 SSL state (connect): TLSv1.3 read server > certificate verify > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS read > finished > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > change cipher spec > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > client certificate > 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_openssl_rsa_enc > entered > - flen=256, from=00000000007968E0, to=0000000000795B10, > rsa=000000000075EEE0, padding=3 > 2021-04-14 17:24:36 us=284747 PKCS#11: Performing signature > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signAny > entry > certificate=00000000007586B0, mech_type=3, source=00000000007968E0, > source_size=0000000000000100, target=0000000000795B10, > *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: Getting key attributes > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes entry > certificate=00000000007586B0 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry > attrs=000000000072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: Get private key attributes > failed: 130:'CKR_OBJECT_HANDLE_INVALID' > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_resetSession > entry certificate=00000000007586B0, public_only=0, > session_mutex_locked=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > entry session=0000000000759C40, class=3, id=000000000075F4A0, > id_size=0000000000000008, p_handle=00000000007586C8 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1618435476 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > return > rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > entry session=0000000000759C40, filter=000000000072E0C0, > filter_attrs=2, > p_objects=000000000072E0B8, p_objects_found=000000000072E0B4 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > return rv=0-'CKR_OK', *p_objects_found=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > return rv=0-'CKR_OK', *p_handle=02970005 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_resetSession > return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: Key attributes enforced by > provider (00000002) > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry > attrs=000000000072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signRecover > entry certificate=00000000007586B0, mech_type=3, > source=00000000007968E0, source_size=0000000000000100, > target=0000000000795B10, *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_doPrivateOperation entry > certificate=00000000007586B0, op=1, mech_type=3, > source=00000000007968E0, source_size=0000000000000100, > target=0000000000795B10, *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_validateSession entry > certificate=00000000007586B0 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1618435476 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > return > rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_validateSession return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=300419 PKCS#11: > __pkcs11h_certificate_doPrivateOperation init rv=112 > 2021-04-14 17:24:36 us=300419 PKCS#11: Private key operation failed > rv=112-'CKR_MECHANISM_INVALID' > 2021-04-14 17:24:36 us=300419 PKCS#11: > _pkcs11h_certificate_resetSession > entry certificate=00000000007586B0, public_only=0, > session_mutex_locked=1 > 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_login entry > session=0000000000759C40, is_publicOnly=0, readonly=1, > user_data=0000000000000000, mask_prompt=00000003 > 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_logout entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_logout return > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset entry > session=0000000000759C40, user_data=0000000000000000, > mask_prompt=00000003, p_slot=000000000072DC3C > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset Expected > token manufacturerID='SafeNet, Inc.' model='eToken', > serialNumber='021c49f5', label='officetoken2b' > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList > entry provider=000000000088D1A0, token_present=1, > pSlotList=000000000072DAE0, pulCount=000000000072DADC > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList > return rv=0-'CKR_OK' *pulCount=1 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId entry > p_token_id=000000000072DAE8 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId entry > p_token_id=000000000072DA40 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId > return > rv=0-'CKR_OK', *p_token_id=00000000007D5120 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId > return > rv=0-'CKR_OK', *p_token_id=00000000007D5120 > 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset Found > token manufacturerID='SafeNet, Inc.' model='eToken', > serialNumber='021c49f5', label='officetoken2b' > 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId entry > certificate_id=00000000007D5120 > 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId > return > 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset return > rv=0-'CKR_OK', *p_slot=0 > 2021-04-14 17:24:36 us=331784 PKCS#11: Calling pin_prompt hook for '' > Enter officetoken2b token Password: > > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > <mailto:Openvpn-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > <https://lists.sourceforge.net/lists/listinfo/openvpn-users> > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
