Hi, Thanks, I finally got around to testing this with the current version of OpenVPN from git and it works great on my Aladin/SafeNet/Gemalto/Thales token (model 510x)
Would be great if this was part of the default build/distribution. I can now get TLS1.3 working using the pkcs11 interface. ---Mike On 5/2/2021 7:13 PM, Selva Nair wrote: > Hi, > > Currently RSA-PSS signatures are handled in pkcs11-helper by asking > the token to do raw RSA signature of data already padded by OpenSSL. > Many new hardware tokens refuse to support this mode and require the > padding to be done in hardware. > > For a recent user report see this thread: > https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html > <https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html> > > Probably there are some related tickets on Trac too. > > In OpenVPN, we have a couple of options to fix this: > > (i) Use a different library like libp11 (for OpenSSL only). > (ii) Extend pkcs11-helper > (iii) Roll something new on our own :) > > After some thought, I have decided that extending pkcs11-helper may be > the least painful approach --- not including the mental distress in > getting code reviews and changes accepted. The "helper" has several > features that we depend on and not readily available in alternatives. > > If anyone is interested in testing this, see > https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support > <https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support> > > Though I've opened a PR at > https://github.com/OpenSC/pkcs11-helper/pull/31 > <https://github.com/OpenSC/pkcs11-helper/pull/31> , it's only an RFC > and would likely require some iterations. > > Comments, suggestions for improvement, and test reports, are most welcome. > > Thanks, > > Selva > > > _______________________________________________ > Openvpn-devel mailing list > openvpn-de...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
