On 29/08/16 21:55, David Sommerseth wrote: > On 29/08/16 15:02, Samuli Seppänen wrote: >> Hi, >> >> Right now our Windows installers use the official pkcs11-helper >> release from the OpenSC project. Unfortunately this means that >> output of "--show-pkcs11-ids" and input of "--pkcs11-id" are >> non-standard, as reported here: >> >> <https://community.openvpn.net/openvpn/ticket/491> >> >> In Fedora this problem has been fixed with a custom patch >> >> <https://github.com/OpenSC/pkcs11-helper/pull/4> >> <http://pkgs.fedoraproject.org/cgit/rpms/pkcs11-helper.git/> >> >> Debian and Ubuntu have _not_ are not patching this issue: >> >> <http://http.debian.net/debian/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz> >> >> > >> <http://archive.ubuntu.com/ubuntu/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz> >> >> Do _we_ want to move to start using a patch pkcs11-helper >> version? > > There have been some proposals to ditch pkcs11-helper and rather > use a newer and more compliant library instead (p11-kit). I think > this makes more sense, to be honest. There are more issues with > pkcs11-helper which upstream seems less interested in resolving, > among others challenges with systemd and the PIN code [1]. So as > things start to pile up, I think it's better to move on to > something else. > > Of course, someone needs to do this job. JJK sponsored me with a > PKCS#11 token at last hackathon + since that time I've gotten > myself both a Yubikey Neo and a NitroKey so I believe I have what's > needed to begin to dive into this rabbit hole ... I just need to > get this prioritized on my TODO list. Unless someone else wants to > give it a try, if so let me know and we'll see if I can help out > somehow. > > With that in mind, if shipping a patched pkcs11-helper in Windows > makes your life easier I'd consider doing this. But step > carefully, avoid getting in a situation where you suddenly have to > maintain these patches yourself. Rather try to see what Fedora > does and see if that can be re-used as much as possible.
And the missing [1] URL ... <https://bugzilla.redhat.com/show_bug.cgi?id=1135932> -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
