Hi Mike, Having this in a release depends on getting the PR merged upstream.
My patch for updating the API with signature parameters has been merged into pkcs11-helper, so, in principle, we could now handle this in OpenVPN. But that takes some effort. Thanks for testing, Selva On Fri, Jul 30, 2021 at 8:39 AM mike tancsa <m...@sentex.net> wrote: > Hi, > > Thanks, I finally got around to testing this with the current > version of OpenVPN from git and it works great on my > Aladin/SafeNet/Gemalto/Thales token (model 510x) > > Would be great if this was part of the default build/distribution. > > I can now get TLS1.3 working using the pkcs11 interface. > > ---Mike > > On 5/2/2021 7:13 PM, Selva Nair wrote: > > Hi, > > > > Currently RSA-PSS signatures are handled in pkcs11-helper by asking > > the token to do raw RSA signature of data already padded by OpenSSL. > > Many new hardware tokens refuse to support this mode and require the > > padding to be done in hardware. > > > > For a recent user report see this thread: > > > https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html > > < > https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html > > > > > > Probably there are some related tickets on Trac too. > > > > In OpenVPN, we have a couple of options to fix this: > > > > (i) Use a different library like libp11 (for OpenSSL only). > > (ii) Extend pkcs11-helper > > (iii) Roll something new on our own :) > > > > After some thought, I have decided that extending pkcs11-helper may be > > the least painful approach --- not including the mental distress in > > getting code reviews and changes accepted. The "helper" has several > > features that we depend on and not readily available in alternatives. > > > > If anyone is interested in testing this, see > > https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support > > <https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support> > > > > Though I've opened a PR at > > https://github.com/OpenSC/pkcs11-helper/pull/31 > > <https://github.com/OpenSC/pkcs11-helper/pull/31> , it's only an RFC > > and would likely require some iterations. > > > > Comments, suggestions for improvement, and test reports, are most > welcome. > > > > Thanks, > > > > Selva > > > > > > _______________________________________________ > > Openvpn-devel mailing list > > openvpn-de...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
