On 19/06/2022 19:28, Selva Nair wrote:
Hi,
On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel
<openvpn-devel@lists.sourceforge.net
<mailto:openvpn-devel@lists.sourceforge.net>> wrote:
New pkcs11-helper interface allows to setup pkcs11 provider via
properties:
https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85
<https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85>
Also pkcs11-helper added ability to setup init args for pkcs11 provider:
https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097
<https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097>
Signed-off-by: Petr Mikhalicin <mkh199...@mail.ru
<mailto:mkh199...@mail.ru>>
Sorry for the long delay in getting back on this. I somehow also missed
the related discussion on Trac
(https://community.openvpn.net/openvpn/ticket/1453
<https://community.openvpn.net/openvpn/ticket/1453>)
I don't quite understand the need for exposing "init-args" to the user.
The only two supported flags in the cryptoki docs are related to the use
of threads. But we are the application and we should know what flags to
pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required,
can't we just set it unconditionally?
That said, OpenVPN2 is single threaded, so why is thereĀ a "bug in
openvpn" related to the use of pkcs11 library from multiple threads
referred to in the trac ticket?
I haven't dug too deep into the matter this time; and it depends also on
the OS you are on. But there has been some issues with pkcs11-helper on
hosts with systemd, due to some intricacies with openvpn doing a fork to
kick off the password query mechanism with systemd colliding with some
pkcs11-helper implementation details. For the systemd case, we added a
workaround which made most people happy.
For more details:
<https://community.openvpn.net/openvpn/ticket/538>
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel