Version 1,11 double prompts for PIN

Got a problem with Viscosity or need help? Ask here!


Posts: 1
Joined: Tue Mar 05, 2024 10:57 pm

Post by mihkel » Tue Mar 05, 2024 11:03 pm
latest version 1.11 forces to enter PIN two times for Yubikey/PKCS #11 certificate, but then connects fine. Annoying though, as entry cannot be omitted. Reverting back to 1.10.8 to avoid the double entry now...


User avatar
Posts: 2318
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Mar 08, 2024 1:48 am
Hi mihkel,

It sounds likely you have your certificate in a slot on your token that has the CKA_ALWAYS_AUTHENTICATE flag set.

OpenVPN 2.6 (well technically pkcs11-helper on macOS) properly respects this flag, while older versions would not. When OpenVPN needs to sign data using your token two operations are performed: one to get information about the key and required storage, and one for the actual sign operation. If CKA_ALWAYS_AUTHENTICATE is set, then a PIN prompt is required twice.

To avoid this you can remove the CKA_ALWAYS_AUTHENTICATE flag from your identity on the PKCS#11 device. On some devices this may mean moving your identity to a different slot. For example , with Yubikeys slot 9c has that flag set, while slot 9a does not, so you can move your identity to slot 9a. On other devices, you may need to reconfigure the flags on the certificate using a management application.

An alternative approach you can try is to use Viscosity's "System Identity" support instead. This supports using identities on tokens without the need for a PKCS#11 driver, as long as the token is supported by macOS (most are).

To use a System Identity, change the Authentication method when editing your connection to "SSL/TLS Client (System Identity)", set the Retrieval option to "Use selected identity", connect your token (if it's not already connected), and then click the "+" button to select a system identity. If your token is supported you should see the identity on the token in the list. Select it and try connecting. You should be prompted for a PIN (by macOS, rather than Viscosity) and as macOS uses a different API you may only be prompted once (but it depends on your device).

2 posts Page 1 of 1