Hi, On 16/12/14 11:34, egabr_2...@yahoo.it wrote: > Hi, > > I'm trying to configure an openvpn client on Linux to use certificates stored > on a sc-hsm usb token; everything seemed to work fine, but then I noticed a > blocking problem when the reneg-sec period expires. > When the token PIN is inserted for the first time, the initialization of the > vpn is successfully completed; however, after the time defined for reneg-sec > param (I would normally use 300s, however for these tests I set 120s), a new > PIN insertion request appears, and inserting again the token PIN doesn't > work: error messages about TLS key negotiation failure appear in logs, the > key renegotiation reaches a 60 seconds timeout and the PIN request is shown > again, and so on until I close the connection. > The VPN hangs while waiting for a new pin insertion, although between two pin > requests it seems to work (until the key renegotiation succeeds the initial > keys are used?). > The problem seems that for some reason the periodic key negotiations fails. > To understand where things stop working, I made some further tests: > - At some of the repeated PIN requests, I inserted a random string and > checked the pin retry counter on the token, and it was unchanged (while it > should be decreased by one for every wrong pin) > - I launched pcscd in debug mode (pcscd -f -d) and noticed that no call is > received by pcscd after the first initialization of the vpn connection, so it > seems that after initialization the vpn doesn't try to actually interact with > pcscd (and the token) anymore (until I hit ^C to close the connection". > - I checked if something else was keeping an exclusive access on > /usr/lib64/opensc-pkcs11.so, blocking the vpn from using it (this happened, > for example, when the opensc library was added to the browser, to use the usb > token as a security device), but also when there isn't anything else > accessing the opensc library, the problem remains. > - Other operations involving the token (I tried generating key pairs, > exporting/importing certificates, changing PIN, SO-PIN, using the token in > Firefox to store, generate and remove certificates, etc.) work correctly. > > Could you please help me to identify the cause of this problem? I have not seen this problem myself, but the problem could be related to the userid used to run OpenVPN - when OpenVPN starts it runs as root and it can access the token. Later on your setup drops to userid 'openvpn' . If this user is not allowed to access the hardware token then it will not be possible to renegotiate session keys.
To verify if this is happening, try running without user openvpn and with a short 'reneg-sec' time. HTH, JJK > The clients I used for the tests were a CentOS 7 and a Gentoo client, while > as servers I used a CentOS 6.6 and a CentOS 7 hosts; in attachment are > configuration and log files (logs are from a connection between the Gentoo > client and the CentOS 7 server). > > The software versions present on each of the test machines are the following: > > --- CentOS 6.6 (tested only as ovpn sever) > > [root@ovpn ~]# openvpn --version > OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] > [eurephia] [MH] [IPv6] built on Sep 12 2013 > Originally developed by James Yonan > Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net> > > > --- CentOS 7 (tested both as ovpn server and client) > > [root@centos7 ~]# openvpn --version > OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] > [eurephia] [MH] [IPv6] built on Feb 14 2014 > Originally developed by James Yonan > Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net> > > [root@centos7 ~]# opensc-tool -i > OpenSC 0.14.0 [gcc 4.8.2 20140120 (Red Hat 4.8.2-16)] > Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) > > [root@centos7 ~]# yum info pkcs11-helper > Loaded plugins: fastestmirror, langpacks > Loading mirror speeds from cached hostfile > * base: centos.muzzy.it > * epel: ftp.fau.de > * extras: centos.muzzy.it > * updates: centosq4.centos.org > Installed Packages > Name : pkcs11-helper > Arch : x86_64 > Version : 1.10 > Release : 1.el7 > Size : 129 k > Repo : installed > >From repo : epel > Summary : A library for using PKCS#11 providers > > [root@centos7 x86_64]# pcscd -v > pcsc-lite version 1.8.13. > Copyright (C) 1999-2002 by David Corcoran <corco...@musclecard.com>. > Copyright (C) 2001-2011 by Ludovic Rousseau <ludovic.rouss...@free.fr>. > Copyright (C) 2003-2004 by Damien Sauveron <sauve...@labri.fr>. > Report bugs to <mus...@lists.musclecard.com>. > Enabled > features: Linux x86_64-redhat-linux-gnu serial usb libudev > usbdropdir=/usr/lib64/pcsc/drivers ipcdir=/var/run/pcscd > configdir=/etc/reader.conf.d > > > --- Gentoo (tested only as ovpn client) > > # openvpn --version > OpenVPN 2.3.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] > [IPv6] built on Dec 10 2014 > library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 > Originally developed by James Yonan > Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net> > > # opensc-tool -i > OpenSC 0.14.0 [gcc 4.8.3] > Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) > > * dev-libs/pkcs11-helper > Latest version available: 1.11 > Latest version installed: 1.11 > Size of files: 372 KiB > Homepage: http://www.opensc-project.org/opensc/wiki/pkcs11-helper > Description: PKCS#11 helper library > License: || ( BSD GPL-2 ) > > # pcscd -v > pcsc-lite version 1.8.13. > Copyright (C) 1999-2002 by David Corcoran <corco...@musclecard.com>. > Copyright (C) 2001-2011 by Ludovic Rousseau <ludovic.rouss...@free.fr>. > Copyright (C) 2003-2004 by Damien Sauveron <sauve...@labri.fr>. > Report bugs to <mus...@lists.musclecard.com>. > Enabled > features: Linux x86_64-pc-linux-gnu serial usb libudev > usbdropdir=/usr/lib64/readers/usb ipcdir=/run/pcscd > configdir=/etc/reader.conf.d > > > > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
