Menu
▾
▴
Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX
|
From: Alon Bar-L. <alo...@gm...> - 2013-02-07 06:17:39
|
Please send full debug log of openvpn. Thanks. On Wed, Feb 6, 2013 at 10:37 PM, Hasso Tepper <has...@gm...> wrote: > Hi, > > There have been many reports from MacOSX users during last years that > PKCS#11 support in OpenVPN is broken for them. The problem seems to be > related to forking (using execve()) and PKCS#11. Following post > describes the situation well: > > http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick > > PKCS#11 support is started, PIN is asked etc, during first execve() > (ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and > from second execve() (ifconfig tun0 <address>...) it doesn't return. The > last line from pcscd log is "Client failed to authenticate". > > Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced > to use system() instead of execve() and it solves the problem. > Unfortunately support for system() is removed from 2.3. > > Now, the question is what exactly is wrong? The very same conf works > with Linux/BSD. I suspect that it's something to do with old smartcard > related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also > found out that there have been reports from users who are not using > opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in > OpenVPN works fine for them. So, I suspect it's something opensc can fix. > > > Regards, > > -- > Hasso Tepper > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
