PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILED'

4,027 views
Skip to first unread message

Anton Redozubov

unread,
Jul 22, 2011, 2:31:08 PM7/22/11
to tunnelbli...@googlegroups.com
Trying to connect to VPN via Tunnelblick 3.2beta26 using eToken.
After connecting to server tunnelblick asks me to enter eToken PIN, but each time I enter PIN I see the error "CKR_FUNCTION_FAILED" and it asks me PIN again, and again.
What should i do?

Here is the config:
------------------------------------------------------------------------------------------------------------------------------
client
proto tcp
remote xxx 443
remote yyy 443
remote zzz 443
remote aaa 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ca xxx.crt
pkcs11-providers /Library/Frameworks/eToken.framework/Versions/8.0.0.6/libeToken.dylib
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0054d44f/xxx/xxx'
verb 3
ping 15
route-method exe
route-delay 2
remote-cert-tls server
#up /etc/openvpn/myupdate-resolv-conf
#down /etc/openvpn/myupdate-resolv-conf
------------------------------------------------------------------------------------------------------------------------------

Here is the log:
------------------------------------------------------------------------------------------------------------------------------ 
2011-07-22 22:14:07 SIGUSR1[soft,tls-error] received, process restarting 
2011-07-22 22:14:07 MANAGEMENT: >STATE:1311358447,RECONNECTING,tls-error,, 
2011-07-22 22:14:07 MANAGEMENT: CMD 'hold release' 
2011-07-22 22:14:07 WARNING: --ping should normally be used with --ping-restart or --ping-exit 
2011-07-22 22:14:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
2011-07-22 22:14:07 Re-using SSL/TLS context 
2011-07-22 22:14:07 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ] 
2011-07-22 22:14:07 Socket Buffers: R=[65536->65536] S=[65536->65536] 
2011-07-22 22:14:07 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] 
2011-07-22 22:14:07 Local Options hash (VER=V4): 'db02a8f8' 
2011-07-22 22:14:07 Expected Remote Options hash (VER=V4): '7e068940' 
2011-07-22 22:14:07 Attempting to establish TCP connection with xxx:443 [nonblock] 
2011-07-22 22:14:07 MANAGEMENT: >STATE:1311358447,TCP_CONNECT,,, 
2011-07-22 22:14:08 TCP connection established with xxx:443 
2011-07-22 22:14:08 TCPv4_CLIENT link local: [undef] 
2011-07-22 22:14:08 TCPv4_CLIENT link remote: xxx:443 
2011-07-22 22:14:08 MANAGEMENT: >STATE:1311358448,WAIT,,, 
2011-07-22 22:14:08 MANAGEMENT: >STATE:1311358448,AUTH,,, 
2011-07-22 22:14:08 TLS: Initial packet from xxx:443, sid=57b87a50 0c34fae5 
2011-07-22 22:14:08 VERIFY OK: depth=2, /CN=xxx 
2011-07-22 22:14:08 VERIFY OK: depth=1, /DC=dom/DC=xxx/CN=xxx 
2011-07-22 22:14:08 Validating certificate key usage 
2011-07-22 22:14:08 ++ Certificate has key usage 00a0, expects 00a0 
2011-07-22 22:14:08 VERIFY KU OK 
2011-07-22 22:14:08 Validating certificate extended key usage 
2011-07-22 22:14:08 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 
2011-07-22 22:14:08 VERIFY EKU OK 
2011-07-22 22:14:08 VERIFY OK: depth=0, /C=RU/ST=MSK/L=Moscow/O=xxx/OU=IT_Department/CN=xxx/emailAddress=xxx 
2011-07-22 22:14:12 MANAGEMENT: CMD 'password [...]' 
2011-07-22 22:14:18 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILED' 
2011-07-22 22:14:18 TLS_ERROR: BIO read tls_read_plaintext error: error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib 
2011-07-22 22:14:18 TLS Error: TLS object -> incoming plaintext read error 
2011-07-22 22:14:18 TLS Error: TLS handshake failed 
2011-07-22 22:14:18 Fatal TLS error (check_tls_errors_co), restarting 
2011-07-22 22:14:18 TCP/UDP: Closing socket
------------------------------------------------------------------------------------------------------------------------------

jkbull...gmail.com

unread,
Jul 22, 2011, 2:58:44 PM7/22/11
to tunnelbli...@googlegroups.com
Was this working before with a different version of Tunnelblick?

PKCS#11 is problematic on Tunnelblick. See Issue 131 and Issue 138, for example. And I recall a thread on this Discussion Group some time ago about a problem with PKCS#11 (but I can't find it now).

The main problem I have is that I don't have access to a setup that uses a PKCS#11 token, so I can't test/debug it at all.

The person who contributed the code that handles PKCS#11 no longer has access either, so he can't help.

Sorry.

jkbull...gmail.com

unread,
Jul 22, 2011, 3:03:00 PM7/22/11
to tunnelbli...@googlegroups.com
You could try posting to the OpenVPN Users Forum or the OpenVPN Users Mailing List. Maybe someone will have an idea.

Anton Redozubov

unread,
Jul 23, 2011, 1:26:11 PM7/23/11
to tunnelbli...@googlegroups.com
I start using tunnelblick since version 3.2beta22 - I see the same error.
Is it the tunnelblick error or OpenVPN?

jkbull...gmail.com

unread,
Jul 23, 2011, 1:56:53 PM7/23/11
to tunnelbli...@googlegroups.com
I assume it is a Tunnelblick bug, but don't know because I can't test it.

But maybe OpenVPN people can point you to another way to do it -- either without Tunnelblick, or with some other way to work around the problem.
Reply all
Reply to author
Forward
0 new messages