2013/2/5 Hasso Tepper <[email protected]>: > Hi, Hello,
> There have been many reports from MacOSX users during last years that > PKCS#11 support in OpenVPN is broken for them. The problem seems to be > related to forking (using execve()) and PKCS#11. Following post > describes the situation well: > > http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick > > PKCS#11 support is started, PIN is asked etc, during first execve() > (ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and > from second execve() (ifconfig tun0 <address>...) it doesn't return. The > last line from pcscd log is "Client failed to authenticate". > > Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced > to use system() instead of execve() and it solves the problem. > Unfortunately support for system() is removed from 2.3. > > Any idea what's going on? The very same setup(s) seems to work for > Linux/BSD users. Why? Too old PKCS#11 related stuff (pcscd/ccid) in MacOSX? PC/SC lite do not like when a client uses fork() without establishing a new PC/SC context for the new process. This has changed on the Linux side but Apple has not updated pcsc-lite since ages. So I would not be surprised if it is related to your problem. If the same configuration works on Linux and BSD but not on Mac OS X then the problem may be a bogus PC/SC on Mac OS X. You should open a bug report at [1]. Another solution is to fix the problem in OpenSC. I do not know OpenVPN and don't know how OpenVPN uses OpenSC. You should describe the problem on the OpenSC-devel list [2]. Bye [1] http://bugreport.apple.com/ [2] https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Dr. Ludovic Rousseau _______________________________________________ Muscle mailing list [email protected] http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
