Ubuntu
openvpn package

openvpn hangs system with etoken

Bug #799448 reported by michael bode
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Expired
Low
Unassigned

Bug Description

Binary package hint: openvpn

When using openvpn with an Aladdin eToken then whole system hangs. I can reproduce this by simply entering
openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so as root. This works flawlessly on Ubuntu 10.10 and before. Opensc seems to read the eToken quite fine:
root@mb-VirtualBox:/usr/share/doc/openvpn# opensc-tool -l
[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Readers known about:
Nr. Driver Name
0 openct Aladdin eToken PRO
1 openct OpenCT reader (detached)

root@mb-VirtualBox:/usr/share/doc/openvpn# opensc-tool -n
[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Using reader with a card: Aladdin eToken PRO
CardOS M4

And pkcs11-tool can see the certs on the eToken:

root@mb-VirtualBox:/usr/share/doc/openvpn# pkcs11-tool -O
[opensc-pkcs11] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
[opensc-pkcs11] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Certificate Object, type = X.509 cert
  label: /<email address hidden>
  ID: 45
Public Key Object; RSA 1024 bits
  label: /<email address hidden>
  ID: 45
  Usage: encrypt, verify
Certificate Object, type = X.509 cert
  label: /C=DE/ST=NA/L=<email address hidden>
  ID: 00
Public Key Object; RSA 1024 bits
  label: /C=DE/ST=NA/L=<email address hidden>
  ID: 46
  Usage: encrypt, verify

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openvpn 2.1.3-2ubuntu3
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
Date: Sun Jun 19 17:22:11 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
ProcEnviron:
 LANGUAGE=de_DE:en
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
michael bode (m-g-bode) wrote :
Revision history for this message
Chuck Short (zulcss) wrote :

Hi,

Thanks for the bug report, I was wondering how I can reproduce this?

Thanks
chuck

Changed in openvpn (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
michael bode (m-g-bode) wrote : Re: [Bug 799448] Re: openvpn hangs system with etoken

Am 21.06.2011 15:20, schrieb Chuck Short:
> Hi,
>
> Thanks for the bug report, I was wondering how I can reproduce this?

Do you have an eToken? You need to put a private key and cert on the
token. This is now described here:

http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11

When I originally prepared my eToken, I created the PKCS12 file with
easy-rsa, initialized the token with pkcs15-init and put the PKCS12 file
on the token with pkcs15-init.

I'm not sure if the hang is also reproducable with a token without
PKCS15 structure on it.

It should also be possible to use Aladdins proprietary PKCS11 provider
under linux, but I never tried that. I can try some other eTokens with
Aladdins file structure and see what happens with opevpn
--show-pkcs11-ids in Ubuntu 10.10 and 11.04. (Openvpn worked for me in
10.10)

Tell me how I can assist in fixing this bug.

Greetings, Michael

--
PGP fingerprint: A391 4109 F8D0 F67B C504 1EF6 0158 E3BB 3687 53CF

Revision history for this message
michael bode (m-g-bode) wrote :

Am 21.06.2011 15:20, schrieb Chuck Short:
> Hi,
>
> Thanks for the bug report, I was wondering how I can reproduce this?

Another data point I forgot to mention: openvpn in Debian Squeeze works
just fine. This is the exact same version as in 11.04:

Debian
mb@eris:~$ /usr/sbin/openvpn --version
OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH]
[PF_INET6] [eurephia] built on Oct 22 2010
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <email address hidden>

--
PGP fingerprint: A391 4109 F8D0 F67B C504 1EF6 0158 E3BB 3687 53CF

Revision history for this message
Arnaud Morin (arnaud-morin) wrote :

I have exactly the same bug on my side, is there any way to avoid it?

Revision history for this message
michael bode (m-g-bode) wrote :

Am 19.07.2011 17:17, schrieb Arnaud:
> I have exactly the same bug on my side, is there any way to avoid
> it?

Not that I know. I've now found that the freezing of the whole system
comes from over 900 openvpn processes that I can see in top before the
system becomes unresponsive.

--
PGP fingerprint: A391 4109 F8D0 F67B C504 1EF6 0158 E3BB 3687 53CF

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

Changed in openvpn (Ubuntu):
status: Incomplete → Expired
Revision history for this message
michael bode (m-g-bode) wrote :

Am 19.07.2011 17:17, schrieb Arnaud:
> I have exactly the same bug on my side, is there any way to avoid it?
>

I've found the reason. Since 0.12 opensc can only have one card reader
driver enabled at any time, The default is pcsc. It seems pcsc does not
work correctly with the eToken Pro. I did recompile opensc with pcsc
disabled and openct enabled for Kubuntu 11.10 and now it works ok.

Hope that helps.

--
PGP fingerprint: A391 4109 F8D0 F67B C504 1EF6 0158 E3BB 3687 53CF

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.