Unable to connect with PKCS11 / Yubikey 4

Got a problem with Viscosity or need help? Ask here!

LimesInferior

Posts: 1
Joined: Fri Nov 08, 2019 12:48 am

Post by LimesInferior » Fri Nov 08, 2019 1:08 am
Hello,

I try to connect with Viscosity, having installed OpenSC separately (from https://github.com/OpenSC/OpenSC/wiki).
The config file has been tested on another device (Linux) with OpenVPN 2.4 and works fine.
I also installed openvpn from brew and pasted the output of the command:
Code: Select all
openvpn --show-pkcs11-ids /usr/local/lib/opensc-pkcs11.so
to the relevant place in the config file. I noted that the Serialized ID looked very default-like (not remotely resembling the one I obtained on Linux machine).

I receive Yubikey PIN prompt, but authentication with the device fails. This is the log output:
Code: Select all
2019-11-07 14:38:23: ---------
2019-11-07 14:38:23: State changed to Connecting
2019-11-07 14:38:23: Checking reachability status of connection...
2019-11-07 14:38:23: Connection is reachable. Starting connection attempt.
2019-11-07 14:38:23: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019
2019-11-07 14:38:23: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
2019-11-07 14:38:23: PKCS#11: Adding PKCS#11 provider '/usr/local/lib/opensc-pkcs11.so'
2019-11-07 14:38:23: Valid endpoint found: 104.199.53.65:1888:udp
2019-11-07 14:38:23: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2019-11-07 14:38:23: TCP/UDP: Preserving recently used remote address: [AF_INET]104.199.53.65:1888
2019-11-07 14:38:23: UDP link local: (not bound)
2019-11-07 14:38:23: UDP link remote: [AF_INET]104.199.53.65:1888
2019-11-07 14:38:23: State changed to Authenticating
2019-11-07 14:38:41: State changed to Disconnecting
2019-11-07 14:38:41: PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
2019-11-07 14:38:41: OpenSSL: error:14099006:SSL routines:ssl3_send_client_verify:EVP lib
2019-11-07 14:38:41: TLS_ERROR: BIO read tls_read_plaintext error
2019-11-07 14:38:41: TLS Error: TLS object -> incoming plaintext read error
2019-11-07 14:38:41: TLS Error: TLS handshake failed
2019-11-07 14:38:41: SIGTERM[hard,tls-error] received, process exiting
2019-11-07 14:38:41: State changed to Disconnected
What I'm doing wrong? How can I connect with Viscosity?
Thanks

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Nov 08, 2019 3:06 pm
Hi LimesInferior,

I recommend editing your connection in Viscosity, and under the Authentication tab change the PKCS11 Retrieval option to "Prompt for certificate name". Then attempt to connect your connection, see whether any valid PKCS#11 identities are detected and select it there (to ensure it's in the correct format) and see whether you are able to connect.

I should also mention that OpenSC is a little finicky on macOS as to what slot the certificate was loaded into on the Yubikey. Depending on what slot you are using, you may need to change it.

Finally, I should add that we've never been able to successfully use both a OTP and PKCS#11 from a Yubikey token in the same connection. Either OpenSC or the Yubikey seems to halt PKI connectivity after the OTP generation, resulting in the OpenVPN failing to connect.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1