On 29/08/16 15:02, Samuli Seppänen wrote: > Hi, > > Right now our Windows installers use the official pkcs11-helper > release from the OpenSC project. Unfortunately this means that > output of "--show-pkcs11-ids" and input of "--pkcs11-id" are > non-standard, as reported here: > > <https://community.openvpn.net/openvpn/ticket/491> > > In Fedora this problem has been fixed with a custom patch > > <https://github.com/OpenSC/pkcs11-helper/pull/4> > <http://pkgs.fedoraproject.org/cgit/rpms/pkcs11-helper.git/> > > Debian and Ubuntu have _not_ are not patching this issue: > > <http://http.debian.net/debian/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz> > > <http://archive.ubuntu.com/ubuntu/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz> > > Do _we_ want to move to start using a patch pkcs11-helper version?
There have been some proposals to ditch pkcs11-helper and rather use a newer and more compliant library instead (p11-kit). I think this makes more sense, to be honest. There are more issues with pkcs11-helper which upstream seems less interested in resolving, among others challenges with systemd and the PIN code [1]. So as things start to pile up, I think it's better to move on to something else. Of course, someone needs to do this job. JJK sponsored me with a PKCS#11 token at last hackathon + since that time I've gotten myself both a Yubikey Neo and a NitroKey so I believe I have what's needed to begin to dive into this rabbit hole ... I just need to get this prioritized on my TODO list. Unless someone else wants to give it a try, if so let me know and we'll see if I can help out somehow. With that in mind, if shipping a patched pkcs11-helper in Windows makes your life easier I'd consider doing this. But step carefully, avoid getting in a situation where you suddenly have to maintain these patches yourself. Rather try to see what Fedora does and see if that can be re-used as much as possible. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel