Hi all, We are about to change from one smartcard towards another, and our team has been asked to verify whether it is compliant with some of the applications we are responsible for. Initially I was pretty confident that it would be a hasty, by smooth transition. Reality proved me wrong with regards to openvpn... It I was wondering if I might come against a label-length issue...
As always, under Linux, I perform: "openvpn --show-pkcs11-ids /usr/local/lib/libCnfpkcs11.so" And one of the strings it returns, I use in the openvpn-client config. But now it fails in a ghostly fashion... The server does not complain, but on the client side I noticed: Mon Oct 14 14:40:25 2019 us=612269 TLS_ERROR: read tls_read_plaintext error: RSA - Bad input parameters to function Mon Oct 14 14:40:25 2019 us=612347 TLS Error: TLS object -> incoming plaintext read error Mon Oct 14 14:40:25 2019 us=612368 TLS Error: TLS handshake failed Google gave some suggestions, that are all irrelevant: * On both server and client side I'm running openvpn-NL-2.4.6 * It still works with old smartcard ( if I change the pkcs11-ids on client-side, and the client-root-certificate on server side So no conflict with mismatching cyphers, LZO, etc * Still using sha256. Not suddenly using sha1 :-) * Switched tls-verify off at either side * The client-certificate was used successfully in website-client-authentication * If I change back, all still works with the old smartcard... One of the observations I made was the length of what "-show-pkcs11-ids" returns. With the old card it used to be 50 long: '/19C12006010D00C0/6034016789982337/Defensiepas/41' But with the new card, it's twice in length: 'IDEMIA/Defpas\x209528XXXX2/9066004707074907/Defpas\x209528XXXX200123456789/446566706173312041757468' Could it be that the pkcs11-ids is way too long? Met vriendelijke groet, Hans Witvliet, J, Ing., DMO/OPS/I&S/APH, Kennis Team Opensource Coldenhovelaan 1 Maasland 3531RC Coldehovelaan 1, kamer B213 Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
