pkcs11 - Please insert token
736 views
Skip to first unread message
rooth...@gmail.com
Dec 20, 2016, 5:35:20 AM12/20/16
to tunnelblick-discuss
Hello everyone
Tunnelblick seems to not detect an already inserted smart card on macOS Sierra. The same setup worked on OSx Mavericks, as discussed and fixed here: https://groups.google.com/forum/#!topic/tunnelblick-discuss/f6RT9eT1SJY
The same current issue seams to be mentioned here: https://groups.google.com/forum/#!topic/tunnelblick-discuss/OapMTCL8HaA
A workaround is to manually run the included openvpn with the same config, which works on macOS Sierra :
Tunnelblick seems to not detect an already inserted smart card on macOS Sierra. The same setup worked on OSx Mavericks, as discussed and fixed here: https://groups.google.com/forum/#!topic/tunnelblick-discuss/f6RT9eT1SJY
The same current issue seams to be mentioned here: https://groups.google.com/forum/#!topic/tunnelblick-discuss/OapMTCL8HaA
A workaround is to manually run the included openvpn with the same config, which works on macOS Sierra :
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.14-openssl-1.0.2j/openvpn --config /Library/Application\ Support/Tunnelblick/Users/user/config.tblk/Contents/Resources/config.ovpn
This is the log output from Tunnelblick:
2016-12-20 10:55:35 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 7 2016
2016-12-20 10:55:35 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
...
(a)2016-12-20 10:55:35 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/opensc-pkcs11.so'
2016-12-20 10:55:35 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
(b) 2016-12-20 10:55:39 MANAGEMENT: CMD 'needok 'token-insertion-request' ok'
(c) 2016-12-20 10:55:47 MANAGEMENT: CMD 'needok 'token-insertion-request' cancel'
It stops at line (a) and a popup request "Please insert token". I press "ok" (b) on the popup and as it doesn't re-act, then "cancel" (c).
This is the log output from Tunnelblick:
2016-12-20 10:55:35 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 7 2016
2016-12-20 10:55:35 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
...
(a)2016-12-20 10:55:35 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/opensc-pkcs11.so'
2016-12-20 10:55:35 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
(b) 2016-12-20 10:55:39 MANAGEMENT: CMD 'needok 'token-insertion-request' ok'
(c) 2016-12-20 10:55:47 MANAGEMENT: CMD 'needok 'token-insertion-request' cancel'
It stops at line (a) and a popup request "Please insert token". I press "ok" (b) on the popup and as it doesn't re-act, then "cancel" (c).
As the included openVPN succeeds in connecting with the smart card, I suspect something going in how Tunnelblick queries for the pin.
What are your guys thoughts?
Thank you for your great work!
Tunnelblick developer
Dec 20, 2016, 7:31:08 AM12/20/16
to tunnelblick-discuss, rooth...@gmail.com
Sorry, but as you can probably tell from the discussions, pkcs#11 is no longer supported in Tunnelblick. The original maintainer no longer has access to tokens, and nobody has stepped in to take their place.
It is possible that this is some simple GUI bug and has nothing to do with pkcs#11; I will look at the source code for something that would cause that, that but don't get your hopes up since I can't test it or step through it to see what is going on.
rooth...@gmail.com
Dec 20, 2016, 7:37:14 AM12/20/16
to tunnelblick-discuss, rooth...@gmail.com
I understand. Thank you anyway for your help and quick response.
Let me know if I can assist.
Tunnelblick developer
Dec 20, 2016, 7:41:30 AM12/20/16
to tunnelblick-discuss, rooth...@gmail.com
I'll email you privately if I see something and want you to test a fix.
Tunnelblick developer
Dec 31, 2016, 7:54:13 AM12/31/16
to tunnelblick-discuss, rooth...@gmail.com
Tunnelblick 3.6.10beta06 fixes a bug involved with telling OpenVPN that a token was inserted. Please try that and see if it helps.
Thomas
Jan 1, 2017, 10:52:04 AM1/1/17
to Tunnelblick developer, tunnelblick-discuss
Thank you.
I will test it as soon as possible.
Regards
rooth...@gmail.com
Jan 7, 2017, 2:12:37 PM1/7/17
to tunnelblick-discuss, jkbu...@gmail.com, rooth...@gmail.com
Unfortunately this did not fix it for me. I still had a working version one of my devices (3.6.8 beta10). After using 3.6.10beta06, which did not work, and re-installing the older version that stopped working too. I can't think of why.
Happily openvpn iteself still works with the tunnelblick supplied openssl and libressl 2.4.0 version.
szobab...@gmail.com
Mar 16, 2017, 7:45:46 AM3/16/17
to tunnelblick-discuss
I can confirm the issue. The work around to call openvpn from terminal with the config seems to work finw, so it must be the way the gui handels the pin request.
Keep up the good work.
Nicolas
Nov 28, 2017, 4:14:41 AM11/28/17
to tunnelblick-discuss
Hi,
Like others, I experience this issue.
It also works correctly if I run OpenVPN manually (with sudo) from a Terminal.
I tried both to type the PIN directly in OpenVPN (launched without --management-query-passwords) or to type it through the management interface; both work fine.
I also tried all 4 versions of OpenVPN (2.3.18 and 2.4.4, -libressl-2.6.2 and -openssl-1.0.2m); all work fine.
I tried to dump the network traffic on the management interface, between OpenVPN and Tunnelblick. The pcap file is attached. It shows that OpenVPN asks for the token.
When I run openvpn directly, with the management interface, it does not ask for the token (unless it is not inserted, of course), and directly asks for the PIN.
As I understand it, when run through Tunnelblick, OpenVPN fails to find the token; it looks like a permission issue…
I’d really love to see this problem fixed, and I’m ok to perform any test that might help.
Note that I have a few unused Aladdin eToken Pro USB 32k crypto tokens; I might donate one if it helps.
Like others, I experience this issue.
It also works correctly if I run OpenVPN manually (with sudo) from a Terminal.
I tried both to type the PIN directly in OpenVPN (launched without --management-query-passwords) or to type it through the management interface; both work fine.
I also tried all 4 versions of OpenVPN (2.3.18 and 2.4.4, -libressl-2.6.2 and -openssl-1.0.2m); all work fine.
I tried to dump the network traffic on the management interface, between OpenVPN and Tunnelblick. The pcap file is attached. It shows that OpenVPN asks for the token.
When I run openvpn directly, with the management interface, it does not ask for the token (unless it is not inserted, of course), and directly asks for the PIN.
As I understand it, when run through Tunnelblick, OpenVPN fails to find the token; it looks like a permission issue…
I’d really love to see this problem fixed, and I’m ok to perform any test that might help.
Note that I have a few unused Aladdin eToken Pro USB 32k crypto tokens; I might donate one if it helps.
Nicolas
Nov 29, 2017, 5:14:15 AM11/29/17
to tunnelblick-discuss
Hi,
As a follow-up to myself, I could investigate this issue a bit further.
As far as I am concerned, the problem, seems to occur only when OpenVPN is run daemonized, and Tunnelblick runs OpenVPN daemonzized…
I could dig up to a call to the SCardEstablishContext PC/SC function, which returns SCARD_E_NO_SERVICE (“The Smart card resource manager is not running.”) when OpenVPN is run daemonized, and SCARD_S_SUCCESS when it’s not daemonized.
Hence, it seems to me that the problem lies somewhere between OpenVPN and pcscd, rather than in Tunnelblick.
As a follow-up to myself, I could investigate this issue a bit further.
As far as I am concerned, the problem, seems to occur only when OpenVPN is run daemonized, and Tunnelblick runs OpenVPN daemonzized…
I could dig up to a call to the SCardEstablishContext PC/SC function, which returns SCARD_E_NO_SERVICE (“The Smart card resource manager is not running.”) when OpenVPN is run daemonized, and SCARD_S_SUCCESS when it’s not daemonized.
Hence, it seems to me that the problem lies somewhere between OpenVPN and pcscd, rather than in Tunnelblick.
Nicolas
Dec 11, 2017, 4:47:32 AM12/11/17
to tunnelblick-discuss
Hi,
After some more investigation, I think the problem occurs because of the fork syscall that OpenVPN uses to daemonize. According to the manpage, “There are limits to what you can do in the child process. To be totally safe you should restrict yourself to only executing async-signal safe operations until such time as one of the exec functions is called. All APIs, including global data symbols, in any framework or library should be assumed to be unsafe after a fork() unless explicitly documented to be safe or async-signal safe. If you need to use these frameworks in the child process, you must exec. In this situation it is reasonable to exec yourself.”
After some more investigation, I think the problem occurs because of the fork syscall that OpenVPN uses to daemonize. According to the manpage, “There are limits to what you can do in the child process. To be totally safe you should restrict yourself to only executing async-signal safe operations until such time as one of the exec functions is called. All APIs, including global data symbols, in any framework or library should be assumed to be unsafe after a fork() unless explicitly documented to be safe or async-signal safe. If you need to use these frameworks in the child process, you must exec. In this situation it is reasonable to exec yourself.”
Nicolas
Dec 11, 2017, 5:05:38 AM12/11/17
to tunnelblick-discuss
Sorry, that web interface somehow damaged the end of my message…
I meant that, unfortunately, Apple changed the PC/SC framework in El Capitan, and that the new one cannot be used after a fork, as described in a blog post.
I think it would be nice if Tunnelblick could launch OpenVPN differently.
I meant that, unfortunately, Apple changed the PC/SC framework in El Capitan, and that the new one cannot be used after a fork, as described in a blog post.
I think it would be nice if Tunnelblick could launch OpenVPN differently.
al...@cambridge-blockchain.com
Feb 27, 2018, 8:49:56 AM2/27/18
to tunnelblick-discuss
Hi Nicholas,
Did you encounter any success with the GUI version of Tunnelblick?
If not would you mind sharing the command line instructions to start and stop a VPN connection assuming the Tunnelblick install, please.
Many thanks!
Reply all
Reply to author
Forward
0 new messages