OpenVPN with Aladdin smartcards

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenVPN with Aladdin smartcards

Hisham Aziz

Ok so I have a signed cert on a smartcard and I have the following issues
while trying to use it with openvpn on a windows machine. The openvpn
version I am using is the latest release candidate available for download
from the website:

1) Open vpn wont let me set the providers in the command line
>openvpn --pkcs11-providers eTpkcs11.dll
returns the error:
Options error: You must define the TUN/TAP device <--dev>
Use --help for more information

2)In my config file I am using dev tun and that seems to make the above work
but in the command line tool it asks for some ipconfig stuff. But now the
stuff on the smartcard is this:
*************************************************
C:\PKI\WC\NSIS>openvpn --show-pkcs11-objects eTpkcs11.dll 0
PIN:
Token Information:
        label:          eToken
        manufacturerID: Aladdin Knowledge Systems Ltd.
        model:          eToken CardOS/M4
        serialNumber:   46fbd014
        flags:          0000000d

You can access this token using
--pkcs11-slot-type "label" --pkcs11-slot "eToken" options.

The following objects are available for use with this token.
Each object shown below may be used as a parameter to
--pkcs11-id-type and --pkcs11-id options.

Object
        Type:                   Private Key
        CKA_ID:
                06
        CKA_LABEL:              Default
        CKA_SIGN:               TRUE
        CKA_SIGN_RECOVER:       TRUE
Object
        Type:                   Certificate
        CKA_ID:
                06
        CKA_LABEL:
        subject:                /CN=Hisham
Aziz/OU=CNS/O=UTORCertAuth/L=TO/ST=ON
/C=CA
        serialNumber:           0F
        notBefore:              070510134745Z

***********************************
   SO my client config file is such:

;pull
client

dev tun
proto udp

remote 128.100.103.211

port 1194
resolv-retry infinite

nobind

;persist-key
;persist-tun
;ns-cert-type server


;comp-lzo
verb 3


ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"

;key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"

pkcs11-providers "C:\\PKI\\WC\\NSIS\\eTpkcs11.dll"
pkcs11-slot-type id
pkcs11-slot 06
pkcs11-id-type subject
pkcs11-id "/CN=Hisham Aziz/OU=CNS/O=UTORCertAuth/L=TO/ST=ON/C=CA"

************************************************************

WHen this is run with open vpn i get:


C:\Program Files\OpenVPN\sample-config>openvpn e-client.ovpn
Thu May 17 13:30:03 2007 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on
Apr 2
5 2007
Thu May 17 13:30:03 2007 PKCS#11: Adding PKCS#11 provider
'C:\PKI\WC\NSIS\eTpkcs
11.dll'
Thu May 17 13:30:03 2007 WARNING: No server certificate verification method
has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
NEED-OK|token-insertion-request|Please insert SLOT(id=06) token:0
Thu May 17 13:30:05 2007 PKCS#11: Cannot set parameters 1-'CKR_CANCEL'
Thu May 17 13:30:05 2007 Cannot load certificate "subject:/CN=Hisham
Aziz/OU=CNS
/O=UTORCertAuth/L=TO/ST=ON/C=CA" from slot "id:06" using PKCS#11 interface
Thu May 17 13:30:05 2007 Error: private key password verification failed
Thu May 17 13:30:05 2007 Exiting

C:\Program Files\OpenVPN\sample-config>


*************************
I dont understand what is wrong here HELP

_________________________________________________________________
Windows Live Hotmail with drag and drop, you can easily move and organize
your mail in one simple step. Get it today!
www.newhotmail.ca?icid=WLHMENCA153

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL3_GET_CLIENT_CERTIFICATE:no certificate returned : ERROR HELP

Hisham Aziz



>From: "Hisham Aziz" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: OpenVPN with Aladdin smartcards
>Date: Thu, 17 May 2007 13:27:54 -0400
>

OK having a problem with the vpn tunnel with double authentication. It seems
that the server is not getting the client certificate somehow.

This is what is on the E-token

>*************************************************
>C:\PKI\WC\NSIS>openvpn --show-pkcs11-objects eTpkcs11.dll 0
>PIN:
>Token Information:
>        label:          eToken
>        manufacturerID: Aladdin Knowledge Systems Ltd.
>        model:          eToken CardOS/M4
>        serialNumber:   46fbd014
>        flags:          0000000d
>
>You can access this token using
>--pkcs11-slot-type "label" --pkcs11-slot "eToken" options.
>
>The following objects are available for use with this token.
>Each object shown below may be used as a parameter to
>--pkcs11-id-type and --pkcs11-id options.
>
>Object
>        Type:                   Private Key
>        CKA_ID:
>                06
>        CKA_LABEL:              Default
>        CKA_SIGN:               TRUE
>        CKA_SIGN_RECOVER:       TRUE
>Object
>        Type:                   Certificate
>        CKA_ID:
>                06
>        CKA_LABEL:
>        subject:                /CN=Hisham
>Aziz/OU=CNS/O=UTORCertAuth/L=TO/ST=ON
>/C=CA
>        serialNumber:           0F
>        notBefore:              070510134745Z
>
>***********************************

AND this is my client config file.

>;pull
>client
>
>dev tun
>proto udp
>
>remote 128.100.103.211
>
>port 1194
>resolv-retry infinite
>
>nobind
>
>;persist-key
>;persist-tun
>;ns-cert-type server
>
>
>;comp-lzo
>verb 3
>
>
>ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
>
>pkcs11-providers "C:\\PKI\\WC\\NSIS\\eTpkcs11.dll"
>pkcs11-slot-type id
>pkcs11-slot 06
>pkcs11-id-type id
>pkcs11-id 06
>
>***********************************************************

Now I tried sending just the certificate as well with the id-type as the
subject of the cert. Same result. The resulting error message is
SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

_________________________________________________________________
Windows Live Hotmail is the next generation of MSN Hotmail.  It’s fast,
simple, and safer than ever and best of all – it’s still free. Try it today!
www.newhotmail.ca?icid=WLHMENCA146

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenVPN with Aladdin smartcards

Heiland_03
This post has NOT been accepted by the mailing list yet.
In reply to this post by Hisham Aziz
Elated to know about this open vpn. There are a lot of vpn for China service providers which are providing excellent services. Got registered with a reputed vpn service provider and got free vpn server software. Happy with the services I have got from them.
Loading...