On 29/08/16 21:55, David Sommerseth wrote:
> On 29/08/16 15:02, Samuli Seppänen wrote:
>> Hi,
>> 
>> Right now our Windows installers use the official pkcs11-helper 
>> release from the OpenSC project. Unfortunately this means that 
>> output of "--show-pkcs11-ids" and input of "--pkcs11-id" are 
>> non-standard, as reported here:
>> 
>> <https://community.openvpn.net/openvpn/ticket/491>
>> 
>> In Fedora this problem has been fixed with a custom patch
>> 
>> <https://github.com/OpenSC/pkcs11-helper/pull/4> 
>> <http://pkgs.fedoraproject.org/cgit/rpms/pkcs11-helper.git/>
>> 
>> Debian and Ubuntu have _not_ are not patching this issue:
>> 
>> <http://http.debian.net/debian/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz>
>>
>>
>
>> 
<http://archive.ubuntu.com/ubuntu/pool/main/p/pkcs11-helper/pkcs11-helper_1.11-5.debian.tar.xz>
>> 
>> Do _we_ want to move to start using a patch pkcs11-helper
>> version?
> 
> There have been some proposals to ditch pkcs11-helper and rather
> use a newer and more compliant library instead (p11-kit).  I think
> this makes more sense, to be honest.  There are more issues with 
> pkcs11-helper which upstream seems less interested in resolving,
> among others challenges with systemd and the PIN code [1].  So as
> things start to pile up, I think it's better to move on to
> something else.
> 
> Of course, someone needs to do this job.  JJK sponsored me with a 
> PKCS#11 token at last hackathon + since that time I've gotten
> myself both a Yubikey Neo and a NitroKey so I believe I have what's
> needed to begin to dive into this rabbit hole ... I just need to
> get this prioritized on my TODO list.  Unless someone else wants to
> give it a try, if so let me know and we'll see if I can help out
> somehow.
> 
> With that in mind, if shipping a patched pkcs11-helper in Windows 
> makes your life easier I'd consider doing this.  But step
> carefully, avoid getting in a situation where you suddenly have to
> maintain these patches yourself.  Rather try to see what Fedora
> does and see if that can be re-used as much as possible.

And the missing [1] URL ...
<https://bugzilla.redhat.com/show_bug.cgi?id=1135932>


-- 
kind regards,

David Sommerseth

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to