Hi,

On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser <janj...@nikhef.nl> wrote:
>
> Hi Selva,
>

..some good info snipped..

>
> I agree that it is better to stop using pkcs11-helper (if possible). I can 
> reproduce the problem using "softhsm" (from http://www.opendnssec.org/) as 
> well, thus you don't even need a hardware token for this.
>
> This is what I tested:
>
> softhsm2-util --init-token --slot 0 --label "SoftToken1"
> pkcs11-tool --module libsofthsm2.so --login -w client-key.der --type privkey 
> --id 20210420
> pkcs11-tool --module libsofthsm2.so --login -w client-cert.der --type cert 
> --id 20210420
>
> and then run  openvpn using
>
> ~/src/openvpn-2.5.1/src/openvpn/openvpn --config pkcs11-udp-client.conf  
> --verb 5
>
> with
>
> [...]
> pkcs11-providers /usr/lib64/libsofthsm2.so
> pkcs11-id 
> 'pkcs11:model=SoftHSM%20v2;token=SoftToken1;manufacturer=SoftHSM%20project;serial=ea81c0d7adb47653;id=%20%21%04%20'
>
> and I get the exact same error:
>
> 2021-04-20 12:05:09 us=913235 OpenSSL: error:141F0006:SSL 
> routines:tls_construct_cert_verify:EVP lib
> 2021-04-20 12:05:09 us=913246 TLS_ERROR: BIO read tls_read_plaintext error
> 2021-04-20 12:05:09 us=913250 TLS Error: TLS object -> incoming plaintext 
> read error
> 2021-04-20 12:05:09 us=913254 TLS Error: TLS handshake failed
> 2021-04-20 12:05:09 us=913351 TCP/UDP: Closing socket

This is surprising. SoftHSM would support raw RSA signatures and hence
should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS
1.3 and PSS signatures.  The problem should arise only for tokens that
insist on doing the padding internally.

By any chance, are you using an older pkcs11-helper library?


Selva

>
>
> Hopefully this will enable others to reproduce the problem.
> As for fixing pkcs11-helper: I doubt whether that is worth the effort, I'd 
> rather switch to lib11/openssl-pkcs11 engine or perhaps even p11-kit-proxy 
> (although both have their own issues)
>
> HTH,
>
> JJK
>


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to