Re: [Openvpn-devel] [PATCH] Add ability to specify initialize flags for pkcs11 provider

Thu, 23 Jun 2022 05:44:42 -0700 

On 19/06/2022 19:28, Selva Nair wrote:

Hi,
On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel <openvpn-devel@lists.sourceforge.net <mailto:openvpn-devel@lists.sourceforge.net>> wrote: 

    New pkcs11-helper interface allows to setup pkcs11 provider via
    properties:
    
https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85
    
<https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85>

    Also pkcs11-helper added ability to setup init args for pkcs11 provider:
    
https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097
    
<https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097>

    Signed-off-by: Petr Mikhalicin <mkh199...@mail.ru
    <mailto:mkh199...@mail.ru>>
Sorry for the long delay in getting back on this. I somehow also missed the related discussion on Trac (https://community.openvpn.net/openvpn/ticket/1453 <https://community.openvpn.net/openvpn/ticket/1453>)
I don't quite understand the need for exposing "init-args" to the user. The only two supported flags in the cryptoki docs are related to the use of threads. But we are the application and we should know what flags to pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required, can't we just set it unconditionally?
That said, OpenVPN2 is single threaded, so why is thereĀ a "bug in openvpn" related to the use of pkcs11 library from multiple threads referred to in the trac ticket?
I haven't dug too deep into the matter this time; and it depends also on the OS you are on. But there has been some issues with pkcs11-helper on hosts with systemd, due to some intricacies with openvpn doing a fork to kick off the password query mechanism with systemd colliding with some pkcs11-helper implementation details. For the systemd case, we added a workaround which made most people happy. 

For more details:
<https://community.openvpn.net/openvpn/ticket/538>


--
kind regards,

David Sommerseth
OpenVPN Inc



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to