On 28-04-19 11:23, Steffan Karger wrote: > Together with the pkcs11-helper fixes, I do think this is the right fix. > I'll try to experiment a bit with it myself too.
Finally got to some testing and staring at code. The patch resolves the issue for me, and I didn't find any other issues. Our code seems to be in good shape to disable safe fork mode as far as I can tell. I replied to the github thread on https://github.com/OpenVPN/openvpn/pull/121 with my conclusions: "The initialization order has been changed around 2015. Since then, OpenVPN initializes the crypto - including pkcs11 - always after daemonizing. Any PIN / password is always queried before that point. Since this patch will only be applied to release/2.4 and master, we're good in that aspect. With respect to slot events, I believe we're good too. If I understand the code correctly (@alonbl, please correct me if I'm wrong), slot events are only used if someone calls pkcs11h_setSlotEventHook(), which OpenVPN doesn't do. Summarizing, unless @alonbl tells me I'm wrong I think this patch is good and should be merged." -Steffan _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
