Menu
▾
▴
Re: [Opensc-devel] OpenSC - OpenVPN - ePass2003
|
From: Alon Bar-L. <alo...@gm...> - 2013-07-05 18:18:52
|
Hello, Please send log file with --verb 255. Thanks, Alon On Fri, Jul 5, 2013 at 10:17 AM, Matthias Barmeier <bar...@ba...> wrote: > Hi, > > I have a setup with OpenSC version 0.13.0-0git-2012112910105 supplied as > debian package from gooze.eu and OpenVPN version 2.2.1-8 on Mint 14 LMDE. > My OpenVPN tunnel runs perfect when I use certificate and key as files. > The tunnel comes up and works as expected. > I added the certificate and the key to an ePass2003 token. > > When I try to use the token with the opensc-pkcs11.so provider I get the > following Log-Output: > > Fri Jul 5 09:07:41 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] > [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 > (2.2RC2)] built on Mar 23 2012 > Fri Jul 5 09:07:41 2013 PKCS#11: Adding PKCS#11 provider > '/usr/lib/opensc-pkcs11.so' > Fri Jul 5 09:07:48 2013 WARNING: No server certificate verification > method has been enabled. See http://openvpn.net/howto.html#mitm for > more info. > Fri Jul 5 09:07:48 2013 NOTE: OpenVPN 2.1 requires '--script-security > 2' or higher to call user-defined scripts or executables > Fri Jul 5 09:07:48 2013 LZO compression initialized > Fri Jul 5 09:07:48 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 > EB:0 ET:0 EL:0 ] > Fri Jul 5 09:07:48 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 > EB:135 ET:0 EL:0 AF:3/1 ] > Fri Jul 5 09:07:48 2013 Local Options hash (VER=V4): '41690919' > Fri Jul 5 09:07:48 2013 Expected Remote Options hash (VER=V4): '530fdded' > Fri Jul 5 09:07:48 2013 UDPv4 link local: [undef] > Fri Jul 5 09:07:48 2013 UDPv4 link remote: [AF_INET]123.231.22.53:1194 > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=2, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=SIKON_CA/emailAddress=Ope...@fo... > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=1, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=STUFE3/emailAddress=Ope...@fo... > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=0, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=vpn.foobar.biz > Enter John Doe (User PIN) token Password: > Fri Jul 5 09:08:00 2013 PKCS#11: Cannot perform signature > 32:'CKR_DATA_INVALID' > Fri Jul 5 09:08:00 2013 TLS_ERROR: BIO read tls_read_plaintext error: > error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib > Fri Jul 5 09:08:00 2013 TLS Error: TLS object -> incoming plaintext > read error > Fri Jul 5 09:08:00 2013 TLS Error: TLS handshake failed > Fri Jul 5 09:08:00 2013 TCP/UDP: Closing socket > Fri Jul 5 09:08:00 2013 SIGUSR1[soft,tls-error] received, process > restarting > > I think the second line seems to be the problem, but I do not understand > what this means. > > To verify that the token is configured correctly I added the > opensc-pkcs11.so to firefox and configured an apache server to make > client authentication with the certificate and key added to > the token. After entering the tokens PIN authentication works perfect. > > My first question is where is this a OpenSC Problem or a Problem of > OpenVPN ? > What does CKR_DATA_INVALID mean ? > Are there any diagnostics I can make to solve the problem ? > > Thanks. > > Ciao > Matthias > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
