Hi Mike, On Thu, Sep 28, 2023 at 5:28 PM mike tancsa <m...@sentex.net> wrote:
> I am starting to test out 2.6.6 with a config that worked in 2.5.4 but > am getting a failure con connect. I did have a look through the > Changes.rst file but didnt see anything different ? The only pkcs11 bits > I have in the config are > > pkcs11-providers eTpkcs11.dll > pkcs11-id 'pkcs11:model=eToken;token=....' > > and the same config works with the older version. Are there new > directives I need to add ? This is an Gemalto/Thales etoken. Again, it > works fine in this environment with the only change being the version of > OpenVPN. > The main change is upgrade to OpenSSL 3.x which seems not to like the certificate or key. Normally it should just work with no changes to the config. > > 2023-09-28 17:05:12 us=578000 PKCS#11: Failed to set cert and private > key for OpenSSL > This implies the call to OpenSSL's "SSL_CTX_set_cert_and_key()" failed. The certificate and private key handle from the token are acquired before this and set in xkey-provider --- both of those tasks have completed without errors. Very unusual and rare to error out at this point. Unfortunately we do not log the reason for this failure. Instead we clear OpenSSL's error queue and print a generic error saying private key password verification failed. A retry is triggered if "auth-retry" is set to "interact", else we exit as happened in your case. > 2023-09-28 17:05:12 us=578000 Error: private key password verification > failed > Not a very useful error message. My guess is that something in the certificate or private key is not to OpenSSL 3.1's liking and it rejects it. Is there any way for you to check the contents of the token independently using a tool linked against OpenSSL 3.1 ? Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
