On Feb 3, 2010, at 11:15 , Christian Horn wrote: > Hi, > > > i use strongswan ontop of opensc to authenticate to firewalls for vpn- > connections. > All strongswan-versions have problems using opensc-pkcs11.so of opensc > after rev3784 to authenticate with the firewall. > opensc 0.11.12 also doesnt work. > > Installing rev3784 i can establish the connection, with rev3785 not. > With that commit 25 files were changed, the problem came in with patching > the three files in src/pkcs11/ directory. > > Apparently strongswan is using a different cert with rev3785. > 'pkcs15-tool -c' shows same results with rev3784 and rev3785. > > for i in 45 46 47 49; do > pkcs15-tool -r $i|openssl x509 -noout -subject; done > > outputs the same subjects with both revisions. > > Setting 'debug = 10' i see rev3785 apparently hands out other certs than > rev3784. > We already had such problems in the past, they were fixed with newer > opensc and still fixed for pkcs15-tool, but appeared now with > opensc-pkcs11.so . > > The card used is netkey, tcos. In first step of production private-keys > and certs are stored on it, with a later step personalized (persons name > appears in subject) certs are written onto the card. opensc-pkcs11.so > is as i see it now handing out the first cert. > > Any suggestions? > I could look into just changing the 'paths' to the certs for netkey-cards, > but thats just a hack. Just using 0.11.9 for now renders everything working, > but thats no longterm solution.. Please provide pkcs11-tool -L with a functioning and non-functioning pkcs11 module.
The logic how objects are grouped together has changed but this should not affect the end result. How does strongswan look for the keys it wants to use? With certificate subjects? -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
