Re: [Openvpn-users] request for testing cryptoapicert with hardware tokens

Fri, 13 Apr 2018 07:37:35 -0700 

Hi JJK,

On Fri, Apr 13, 2018 at 9:12 AM, Jan Just Keijser <janj...@nikhef.nl> wrote:

> Hi,
>
> On 11-Apr-18 19:54, Selva Nair wrote:
>
> Hi,
>
> Anyone using --cryptoapicert option on Windows with hardware tokens? If so
> could you please test 2.4.5 and the patched executable here:
> https://github.com/selvanair/openvpn/releases/tag/cng-fix
>
> I'm particularly interested in cases where TLS 1.2 is negotiated with
> tokens accessed via Windows Cryptography API (cryptoapicert) and not PKCS11.
>
> For background see https://community.openvpn.net/openvpn/ticket/1050
>
> I've added a comment: on windows 7 + Safenet eToken it does not work for
> me. I get a warning:
>
> Fri Apr 13 15:02:53 2018 us=322245 WARNING: cryptoapicert: private key is
> in a legacy store. Restricting TLS version to 1.1
>

That means the CNG-support-detection in 2.4.5 is working: there are no
errors, only warnings :)

The warning is expected if the token's minidriver does not support the new
Windows Cryptography API (CNG). Then the key handle we get can only be used
with  CryptoAPI (CAPI) -- I call this legacy, and we restrict TLS version
to 1.1. It may be possible to support a limited set of TLS 1.2 signatures
even with CAPI but I did not consider this to avoid less predictable
failures.

How can I work around that?
>

If possible, update the token driver. I had an old safenet ikey4000 which
did this but got CNG support on installing a newer driver. If you do that
you will notice 2.4.5 just errors out: TLS version does not get downgraded
(which is good), but the signature fails to verify as reported in Trac
#1050. The patched version should fix it.

Any chance of testing this with a non safenet token as well? I wonder how
other token drivers behave with 2.4.5 and the patched version.

Thanks,

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to