PKCS#11 with etoken
778 views
Skip to first unread message
usannsell
Aug 21, 2009, 7:25:13 AM8/21/09
to tunnelblick-discuss
I was happy to read about the PKCS#11 support for tunnelblick and
therefor recently upgraded to the latest tunnelblick on my MAC to test
it out.
It seems fairly ok but however it pops up a window asking for me to
insert the eToken i do that but the log shows after clicking OK it
says "but not yet verified" and the same window pops up again. Only
way to move forward is to click cancel and therefor it cannot ofcourse
retrieve the keys since i did not enter a password for the token.
Is there something in the setup i am missing ?
The tunnelblick log shows...
2009-08-21 13:20:50 Tunnelblick 3 (3.0b14 build 573); OpenVPN 2
(2.1_rc15)
2009-08-21 13:20:51 SUCCESS: pid=588
2009-08-21 13:20:51 SUCCESS: real-time state notification set to ON
2009-08-21 13:20:51 SUCCESS: real-time log notification set to ON
2009-08-21 13:20:51 OpenVPN 2.1_rc15 i386-apple-darwin9.8.0 [SSL]
[LZO2] [PKCS11] built on Aug 10 2009
2009-08-21 13:20:51 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2009-08-21 13:20:51 waiting...
2009-08-21 13:20:51 MANAGEMENT: Client connected from 127.0.0.1:1337
2009-08-21 13:20:51 END
2009-08-21 13:20:51 SUCCESS: hold release succeeded
2009-08-21 13:20:51 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/
libeTPkcs11.dylib'
2009-08-21 13:20:51 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2009-08-21 13:20:57 but not yet verified
2009-08-21 13:21:00 but not yet verified
2009-08-21 13:21:00 PKCS#11: Cannot get certificate object
2009-08-21 13:21:00 PKCS#11: Cannot get certificate object
2009-08-21 13:21:00 PKCS#11: Unable get rsa object
2009-08-21 13:21:00 Cannot load certificate " Aladdin\x20Ltd\x2E/
eToken/002576fb/eToken/36354139453844323442334143344341" using PKCS#11
interface
2009-08-21 13:21:00 Error: private key password verification failed
therefor recently upgraded to the latest tunnelblick on my MAC to test
it out.
It seems fairly ok but however it pops up a window asking for me to
insert the eToken i do that but the log shows after clicking OK it
says "but not yet verified" and the same window pops up again. Only
way to move forward is to click cancel and therefor it cannot ofcourse
retrieve the keys since i did not enter a password for the token.
Is there something in the setup i am missing ?
The tunnelblick log shows...
2009-08-21 13:20:50 Tunnelblick 3 (3.0b14 build 573); OpenVPN 2
(2.1_rc15)
2009-08-21 13:20:51 SUCCESS: pid=588
2009-08-21 13:20:51 SUCCESS: real-time state notification set to ON
2009-08-21 13:20:51 SUCCESS: real-time log notification set to ON
2009-08-21 13:20:51 OpenVPN 2.1_rc15 i386-apple-darwin9.8.0 [SSL]
[LZO2] [PKCS11] built on Aug 10 2009
2009-08-21 13:20:51 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2009-08-21 13:20:51 waiting...
2009-08-21 13:20:51 MANAGEMENT: Client connected from 127.0.0.1:1337
2009-08-21 13:20:51 END
2009-08-21 13:20:51 SUCCESS: hold release succeeded
2009-08-21 13:20:51 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/
libeTPkcs11.dylib'
2009-08-21 13:20:51 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2009-08-21 13:20:57 but not yet verified
2009-08-21 13:21:00 but not yet verified
2009-08-21 13:21:00 PKCS#11: Cannot get certificate object
2009-08-21 13:21:00 PKCS#11: Cannot get certificate object
2009-08-21 13:21:00 PKCS#11: Unable get rsa object
2009-08-21 13:21:00 Cannot load certificate " Aladdin\x20Ltd\x2E/
eToken/002576fb/eToken/36354139453844323442334143344341" using PKCS#11
interface
2009-08-21 13:21:00 Error: private key password verification failed
XaLopp
Aug 22, 2009, 7:11:37 AM8/22/09
to tunnelblick-discuss
It's sounds like your pkcs11-id in the configuration doesn't match the
Token-Name.
Please make sure that your "pkcs11-id" is correct. You need the
Serialized ID from the output of
sudo /Applications/Tunnelblick.app/Contents//Resources/openvpn --show-
pkcs11-ids /usr/local/lib/libeTPkcs11.dylib
and don't forget that every backslash needs to be quoted by a
backslash (\ -> \\)
Hope this helps.
Token-Name.
Please make sure that your "pkcs11-id" is correct. You need the
Serialized ID from the output of
sudo /Applications/Tunnelblick.app/Contents//Resources/openvpn --show-
pkcs11-ids /usr/local/lib/libeTPkcs11.dylib
and don't forget that every backslash needs to be quoted by a
backslash (\ -> \\)
Hope this helps.
Ulrik Sannsell
Aug 24, 2009, 7:35:46 AM8/24/09
to tunnelbli...@googlegroups.com
Thanks for you help. It turned that when Imported via PKI-tool in the MAC it named the token very strangely and thus included ' in the name which confused it up.
When importing it in Windows i was able to ge a more appropriate tserialised id which made it work :)
Best regards,
Ulrik Sannsell
Drift
DIBS Payment Services
Direkte: +45 8880 9925
Mobil: +45 3132 9276
www.dibs.dk
> -----Ursprungligt meddelande-----
> Från: tunnelbli...@googlegroups.com
> [mailto:tunnelbli...@googlegroups.com] För XaLopp
> Skickat: den 22 augusti 2009 13:12
> Till: tunnelblick-discuss
> Ämne: Re: PKCS#11 with etoken
When importing it in Windows i was able to ge a more appropriate tserialised id which made it work :)
Best regards,
Ulrik Sannsell
Drift
DIBS Payment Services
Direkte: +45 8880 9925
Mobil: +45 3132 9276
www.dibs.dk
> -----Ursprungligt meddelande-----
> Från: tunnelbli...@googlegroups.com
> [mailto:tunnelbli...@googlegroups.com] För XaLopp
> Skickat: den 22 augusti 2009 13:12
> Till: tunnelblick-discuss
> Ämne: Re: PKCS#11 with etoken
Reply all
Reply to author
Forward
0 new messages