SparkLabs Forum.

Community Help.


PKCS11 support

Hello,

I would like to see pkcs11 support in Viscosity because my openvpn server needs an extra authentication which is on a smart card. I can connect from terminal (compiled myself an openvpn binary with pkcs11 support) but i would like to connect via gui client.
The following method works from terminal (my conf):

Code: Select all

pkcs11-providers /usr/local/lib/libeTPkcs11.dylib
pkcs11-id 'my-long-long-id'
pkcs11-pin-cache 300


I replaced the openvpn binary in Viscosity with my binary compiled with pkcs11 support but I still have 2 problems:
1. on the connection I click Edit, Advanced tab, I can see the pkcs11-id line but it looks like this: "pkcs11-id my-long-long id" instead of this: "pkcs11-id 'my-long-long-id'". So without the ''. I tried to import it from an .ovpn file but it strips out anyway.
2. my smartcard has an extra password which can be queried thru the management interface. On windows, I get a popup window to enter my password for the smartcard. I cannot test is this is implemented already because of the first bug. :(

Is is possible not to strip the ''s on the advanced tab? So I could test it with a smartcard.

Thanks!
Well I figured out that I can copy my conf file to ~/Library/Application Support/Viscosity/OpenVPN/1 so Viscosity doesnt escape my ''s anymore. It works now, popup window appears to ask my password, but nothing happens when I enter it. Here is the log (xxx.xxx.xxx.xxx is the server's ip address):

Code: Select all

Mon May  4 19:14:34 2009: PKCS#11: Adding PKCS#11 provider '/usr/local/lib/libeTPkcs11.dylib'
Mon May  4 19:14:34 2009: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon May  4 19:14:34 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon May  4 19:14:35 2009: LZO compression initialized
Mon May  4 19:14:35 2009: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon May  4 19:14:35 2009: Data Channel MTU parms [ L:1544 D:1300 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon May  4 19:14:35 2009: Local Options String: 'V4
Mon May  4 19:14:35 2009: Expected Remote Options String: 'V4
Mon May  4 19:14:35 2009: Local Options hash (VER=V4): '69109d17'
Mon May  4 19:14:35 2009: Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon May  4 19:14:35 2009: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:443 [nonblock]
Mon May  4 19:14:35 2009: MANAGEMENT: >STATE:1241457275
Mon May  4 19:14:36 2009: TCP connection established with xxx.xxx.xxx.xxx:443
Mon May  4 19:14:36 2009: Socket Buffers: R=[525624->65536] S=[131768->65536]
Mon May  4 19:14:36 2009: TCPv4_CLIENT link local: [undef]
Mon May  4 19:14:36 2009: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:443
Mon May  4 19:14:36 2009: MANAGEMENT: >STATE:1241457276
Mon May  4 19:14:36 2009: MANAGEMENT: >STATE:1241457276
Mon May  4 19:14:36 2009: TLS: Initial packet from xxx.xxx.xxx.xxx:443
Mon May  4 19:14:36 2009: VERIFY OK: depth=1
Mon May  4 19:14:36 2009: VERIFY OK: depth=0


Any help would be appreciated. Thanks!
Hi jdg,

We aim to have full support, including a GUI, for PKCS11 with version 1.1 of Viscosity. However until then you can use the approach you have taken to get it to work yourself.

It works now, popup window appears to ask my password, but nothing happens when I enter it

Is it just a normal password entry window, or a username/password entry window? Are you entering standard ASCII characters (i.e.A-Z, 0-9, etc), or does your PIN contain non-ASCII characters?

Cheers,
James
Thanks James, looking forward to 1.1 :)

James wrote:
Is it just a normal password entry window, or a username/password entry window? Are you entering standard ASCII characters (i.e.A-Z, 0-9, etc), or does your PIN contain non-ASCII characters?


It's a password entry window, I'm entering ASCII characters only. Nothing happens :/
It's a password entry window, I'm entering ASCII characters only. Nothing happens :/

Strange. Unfortunately I'm currently unable to attempt to replicate this at my end. Would you be able to get in touch via [email protected]? If so, I'll get a debug version of Viscosity to you that might reveal what is going on.

Cheers,
James
Hi,

I have been trying to get this to work on Mac OS X 10.8.5 without success.

I get the following error:
PKCS#11: Cannot initialize provider '/usr/lib/pkcs11/libgtop11dotnet.dylib' 6-'CKR_FUNCTION_FAILED'

I am however able to connect to my VPN using the same config file using a version of openvpn (with pkcs11 support) I compiled myself. When I copy the compiled openvpn, it is able to add the provider, but it is stuck here:
"verb 3" turned on

darwin12.5.0 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 17 2013
Sep 19 17:19:29: MANAGEMENT: CMD 'state on'
Sep 19 17:19:29: MANAGEMENT: CMD 'hold release'
Sep 19 17:19:29: MANAGEMENT: CMD 'hold release'
Sep 19 17:19:30: MANAGEMENT: CMD 'state on'
Sep 19 17:19:30: MANAGEMENT: CMD 'hold release'
Sep 19 17:19:30: MANAGEMENT: CMD 'pid'
Sep 19 17:19:30: MANAGEMENT: CMD 'username "Auth" "asdf"'
Sep 19 17:19:30: MANAGEMENT: CMD 'pid'
Sep 19 17:19:31: MANAGEMENT: CMD 'hold release'
Sep 19 17:19:31: MANAGEMENT: CMD 'pid'
Sep 19 17:19:31: MANAGEMENT: CMD 'password [...]'
Sep 19 17:19:31: PKCS#11: Adding PKCS#11 provider '/usr/lib/pkcs11/libgtop11dotnet.dylib'
Sep 19 17:19:31: MANAGEMENT: CMD 'pid'

Is there an update coming to viscosity soon to support this?
Hi seunomosowon,

What is the architecture of the provider/driver library for your device? You can find this out using the following command in the Terminal:

lipo -info /usr/lib/pkcs11/libgtop11dotnet.dylib

Viscosity's OpenVPN binary is 32-bit to maintain compatibility with older PKCS#11 providers (the vast majority of provider files we see are 32-bit only). Newer provider files are Fat files (i.e. dual 32 and 64 bit), and so this isn't an issue. At a guess it sounds like your provider file could be 64-bit only. If this is the case reinstalling it (I've yet to see any 64-bit only provider files), or installing the 32-bit version, should fix it.

However I'd also recommend checking Viscosity's raw OpenVPN configuration file to ensure the PKCS#11 setup matches that of the one you are successfully using with your own binary to ensure it isn't simply a configuration issue. You can find the config file for your connection at:
Your Home Folder/Library/Application Support/Viscosity/OpenVPN/#/config.conf

As for alternatives, you can try using the OpenSC PKCS#11 drivers with your device instead, which many use with Viscosity successfully. Another option would be to replace Viscosity's binary with your own at /Library/ViscosityHelperTools, although you'll have to ensure the owner and permissions exactly match.

Cheers,
James
Hi,

It' an old topic, however i can report I recently encountered the same issue - popup window asking for PKCS11 and viscosity log reporting error "PKCS#11: Cannot initialize provider xxx 6-'CKR_FUNCTION_FAILED'" -after upgrading to MacOS Mojave (on Yosemite Viscosity worked fine and the move to Mojave broke my vpn operation for a long while... until today).
I tried several potential fixes (e.g. giving root permission for the directory containing the provider dylib, changing the PKCS11 provider). Eventually Viscosity got back to normal when I switched to openvpn 2.4 (go to general settings and avoid version 2.3).
This may help others...

Cheers
8 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy