Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list.
On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis <francois.ge...@gmail.com> wrote: > Hi all, > > I have a working openvpn setup with client certificate and private key > stored on my laptop. Then, I have loaded them into a smartcard (Yubico 5 > NFC), and modified accordingly the openvpn client config. But running the > openvpn client now fails with an error that seems to originate inside > openssl. Here is a verbose openvpn log (only the portion that seems > relevant for this error, but I have the full log if useful): > > Sat Apr 6 15:57:20 2019 us=467260 Incoming Ciphertext -> TLS > Sat Apr 6 15:57:20 2019 us=467271 SSL state (connect): SSLv3/TLS read > server hello > Sat Apr 6 15:57:20 2019 us=467468 VERIFY OK: depth=1, CN=FG-CA > Sat Apr 6 15:57:20 2019 us=467598 VERIFY KU OK > Sat Apr 6 15:57:20 2019 us=467609 Validating certificate extended key > usage > Sat Apr 6 15:57:20 2019 us=467615 ++ Certificate has EKU (str) TLS Web > Server Authentication, expects TLS Web Server Authentication > Sat Apr 6 15:57:20 2019 us=467620 VERIFY EKU OK > Sat Apr 6 15:57:20 2019 us=467625 VERIFY OK: depth=0, CN=tx2 > Sat Apr 6 15:57:20 2019 us=467650 SSL state (connect): SSLv3/TLS read > server certificate > Sat Apr 6 15:57:20 2019 us=467735 SSL state (connect): SSLv3/TLS read > server key exchange > Sat Apr 6 15:57:20 2019 us=467763 SSL state (connect): SSLv3/TLS read > server certificate request > Sat Apr 6 15:57:20 2019 us=467771 SSL state (connect): SSLv3/TLS read > server done > Sat Apr 6 15:57:20 2019 us=467845 SSL state (connect): SSLv3/TLS write > client certificate > Sat Apr 6 15:57:20 2019 us=468012 SSL state (connect): SSLv3/TLS write > client key exchange > Sat Apr 6 15:57:20 2019 us=468053 PKCS#11: __pkcs11h_openssl_rsa_enc > entered - flen=256, from=0x559d078d6e70, to=0x559d078d6bc0, > rsa=0x559d078b3630, padding=3 > Sat Apr 6 15:57:20 2019 us=468060 PKCS#11: __pkcs11h_openssl_rsa_enc - > return rv=112-'CKR_MECHANISM_INVALID' > Sat Apr 6 15:57:20 2019 us=468070 SSL alert (write): fatal: internal error > Sat Apr 6 15:57:20 2019 us=468085 OpenSSL: error:141F0006:SSL > routines:tls_construct_cert_verify:EVP lib > Sat Apr 6 15:57:20 2019 us=468092 TLS_ERROR: BIO read tls_read_plaintext > error > Sat Apr 6 15:57:20 2019 us=468097 TLS Error: TLS object -> incoming > plaintext read error > Sat Apr 6 15:57:20 2019 us=468101 TLS Error: TLS handshake failed > > Somehow, it seems that __pkcs11h_openssl_rsa_enc was called with an > unexpected padding. Any ideas on what might be the cause of this? > > As I replied to the openssl-users list[*], pkcs11-helper only supports PKCS1 signatures, not raw signature needed in this case. We have to either patch pkcs11-helper or switch to something else. Selva [*] https://mta.openssl.org/pipermail/openssl-users/2019-April/010266.html
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
