Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-21 Thread Selva Nair
Hi Mike, On Wed, Apr 21, 2021 at 4:55 PM mike tancsa wrote: > On 4/21/2021 12:05 PM, Selva Nair wrote: > > I think that patch is still not applied upstream. I tested softhsm > > using your instructions and it works for TlS 1.3 and PSS -- softhsm2 > > gets request to sign pre-padded PSS data as R

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-21 Thread mike tancsa
On 4/21/2021 12:05 PM, Selva Nair wrote: > I think that patch is still not applied upstream. I tested softhsm > using your instructions and it works for TlS 1.3 and PSS -- softhsm2 > gets request to sign pre-padded PSS data as Raw RSA and it seems to > handle that. > > I can understand some hardwar

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-21 Thread Selva Nair
Hi, On Wed, Apr 21, 2021 at 6:32 AM Jan Just Keijser wrote: > > Hi, > > On 20/04/21 20:05, Selva Nair wrote: > > On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > >> [...] > > >> This is surprising. SoftHSM would support raw RSA signatures and hence > >> should work with OpenVPN + pkcs11

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-21 Thread Jan Just Keijser
Hi, On 20/04/21 20:05, Selva Nair wrote: On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: [...] This is surprising. SoftHSM would support raw RSA signatures and hence should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS 1.3 and PSS signatures. The problem should ari

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-20 Thread Selva Nair
Hi, On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > > Hi Selva, > ..some good info snipped.. > > I agree that it is better to stop using pkcs11-helper (if possible). I can > reproduce the problem using "softhsm" (from http://www.opendnssec.org/) as > well, thus you don't even need a

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-20 Thread Jan Just Keijser
Hi Selva, On 19/04/21 19:01, Selva Nair wrote: Hi JJK, On Mon, Apr 19, 2021 at 7:19 AM Jan Just Keijser > wrote: Hi Selva, On 15/04/21 20:20, Selva Nair wrote: > [...] >> >> >> Another thing I am not clear on, is where the cert signature

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-19 Thread Selva Nair
Hi JJK, On Mon, Apr 19, 2021 at 7:19 AM Jan Just Keijser wrote: > Hi Selva, > > > On 15/04/21 20:20, Selva Nair wrote: > > [...] > > >> > >> > >> Another thing I am not clear on, is where the cert signature type is set > >> / required. I am guessing the entire chain needs to be at least SHA256

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-19 Thread Jan Just Keijser
Hi Selva, On 15/04/21 20:20, Selva Nair wrote: [...] Another thing I am not clear on, is where the cert signature type is set / required. I am guessing the entire chain needs to be at least SHA256 right ? PKI's CA CRT, CSR, signed CRT ? We are referring to the signature algorithm set in

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-15 Thread Selva Nair
Hi, On Thu, Apr 15, 2021 at 1:46 PM mike tancsa wrote: > > On 4/14/2021 8:23 PM, Selva Nair wrote: > > > > You can restrict TLS version using th eoption --tls-version-min in > > OpenVPN config file, but restricting to TLS 1.2 is not enough with > > OpenSSL 1.1.1. It defaults to PSS for both TLS 1

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-15 Thread mike tancsa
On 4/14/2021 8:23 PM, Selva Nair wrote: >   > You can restrict TLS version using th eoption --tls-version-min in > OpenVPN config file, but restricting to TLS 1.2 is not enough with > OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3.  > > Rather than building your own OpenSSL, a much simp

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-14 Thread Selva Nair
Hi, On Wed, Apr 14, 2021 at 8:09 PM mike tancsa wrote: > Thank you very much for the analysis and pointer. The application is a > kiosk type environment and for a number of reasons, the windows dialog > PIN popping up is not workable. Its been a while since I built OpenVPN > from source, but I

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-14 Thread mike tancsa
Thank you very much for the analysis and pointer.  The application is a kiosk type environment and for a number of reasons, the windows dialog PIN popping up is not workable. Its been a while since I built OpenVPN from source, but I imagine I could roll a version of the OpenSSL.DLL that would max o

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-14 Thread Selva Nair
Hi, As per the logs its requesting unpadded signature of size 256 (padding = 3) which is expected with OpenSSL 1.1.1 and TLS 1.2 or 1.3 as the it requires PSS padded signature and OpenSSL provides the padded data to sign with padding = NONE. My guess would be that your hardware token doesn't suppo

[Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

2021-04-14 Thread mike tancsa
Trying out a newer version of OpenVPN community edition (latest from the website) on windows 10 and running into problems with a config that works from 2.4.7.  If I use the token with OpenVPN 2.4.7 it works as expected. On 2.5.1, I get a series of errors when using the pkcs11 method. The token wor