2022-04-29 13:35:51 |
Lorenz Schwittmann |
bug |
|
|
added bug |
2022-04-29 13:36:46 |
Lorenz Schwittmann |
affects |
file (Ubuntu) |
pkcs11-helper (Ubuntu) |
|
2022-05-12 16:49:58 |
Launchpad Janitor |
pkcs11-helper (Ubuntu): status |
New |
Confirmed |
|
2022-05-17 20:58:38 |
Brian Murray |
tags |
upgrade-software-version |
rls-jj-incoming upgrade-software-version |
|
2022-05-18 13:39:49 |
Sebastien Bacher |
pkcs11-helper (Ubuntu): importance |
Undecided |
High |
|
2022-05-18 13:39:49 |
Sebastien Bacher |
pkcs11-helper (Ubuntu): status |
Confirmed |
Fix Committed |
|
2022-05-18 13:52:06 |
Sebastien Bacher |
description |
Ubuntu 22.04 LTS
When using an openvpn configuration which uses a smartcard based authentication via "pkcs11-id" and "pkcs11-providers" the connection fails:
2022-04-29 14:07:18 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-04-29 14:07:18 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-04-29 14:07:18 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
2022-04-29 14:07:19 TCP/UDP: Preserving recently used remote address: [AF_INET6]XXXXXXXXXXXXX:1194
2022-04-29 14:07:19 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-04-29 14:07:19 UDP link local: (not bound)
2022-04-29 14:07:19 UDP link remote: [AF_INET6]XXXXXXXXXXXXX:1194
2022-04-29 14:07:19 TLS: Initial packet from [AF_INET6]XXXXXXXXXXXXX:1194, sid=xxxxx xxxx
2022-04-29 14:07:19 VERIFY OK: depth=1, CN=xxxxxxxxxxxx
2022-04-29 14:07:19 VERIFY KU OK
2022-04-29 14:07:19 Validating certificate extended key usage
2022-04-29 14:07:19 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-29 14:07:19 VERIFY EKU OK
2022-04-29 14:07:19 VERIFY OK: depth=0, CN=xxxxxxxxxxxxx
2022-04-29 14:07:19 OpenSSL: error:020000B3:rsa routines::missing private key
2022-04-29 14:07:19 OpenSSL: error:1C880004:Provider routines::RSA lib
2022-04-29 14:07:19 OpenSSL: error:0A080006:SSL routines::EVP lib
2022-04-29 14:07:19 TLS_ERROR: BIO read tls_read_plaintext error
2022-04-29 14:07:19 TLS Error: TLS object -> incoming plaintext read error
2022-04-29 14:07:19 TLS Error: TLS handshake failed
2022-04-29 14:07:19 SIGUSR1[soft,tls-error] received, process restarting
2022-04-29 14:07:19 Restart pause, 5 second(s)
The same problem has been reported upstream at https://github.com/OpenSC/pkcs11-helper/issues/52 which resulted in a fix.
I've downloaded and built pkcs11-helper version 1.29.0 and it fixed the problem indeed.
TLDR: please update pkcs11-helper |
* Impact
When using an openvpn configuration which uses a smartcard based authentication via "pkcs11-id" and "pkcs11-providers" the connection fails
* Test case
Try to connect to a server using OpenVPN with smartcard authentification
* Regression potential
libpkcs11-helper1 is only used by openvpn in the archive so focus the testing on openvpn + smartcards setups
-----------------------------------
Ubuntu 22.04 LTS
2022-04-29 14:07:18 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-04-29 14:07:18 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-04-29 14:07:18 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
2022-04-29 14:07:19 TCP/UDP: Preserving recently used remote address: [AF_INET6]XXXXXXXXXXXXX:1194
2022-04-29 14:07:19 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-04-29 14:07:19 UDP link local: (not bound)
2022-04-29 14:07:19 UDP link remote: [AF_INET6]XXXXXXXXXXXXX:1194
2022-04-29 14:07:19 TLS: Initial packet from [AF_INET6]XXXXXXXXXXXXX:1194, sid=xxxxx xxxx
2022-04-29 14:07:19 VERIFY OK: depth=1, CN=xxxxxxxxxxxx
2022-04-29 14:07:19 VERIFY KU OK
2022-04-29 14:07:19 Validating certificate extended key usage
2022-04-29 14:07:19 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-29 14:07:19 VERIFY EKU OK
2022-04-29 14:07:19 VERIFY OK: depth=0, CN=xxxxxxxxxxxxx
2022-04-29 14:07:19 OpenSSL: error:020000B3:rsa routines::missing private key
2022-04-29 14:07:19 OpenSSL: error:1C880004:Provider routines::RSA lib
2022-04-29 14:07:19 OpenSSL: error:0A080006:SSL routines::EVP lib
2022-04-29 14:07:19 TLS_ERROR: BIO read tls_read_plaintext error
2022-04-29 14:07:19 TLS Error: TLS object -> incoming plaintext read error
2022-04-29 14:07:19 TLS Error: TLS handshake failed
2022-04-29 14:07:19 SIGUSR1[soft,tls-error] received, process restarting
2022-04-29 14:07:19 Restart pause, 5 second(s)
The same problem has been reported upstream at https://github.com/OpenSC/pkcs11-helper/issues/52 which resulted in a fix.
I've downloaded and built pkcs11-helper version 1.29.0 and it fixed the problem indeed.
TLDR: please update pkcs11-helper |
|
2022-05-18 18:27:16 |
Launchpad Janitor |
pkcs11-helper (Ubuntu): status |
Fix Committed |
Fix Released |
|
2022-05-24 23:12:40 |
Brian Murray |
pkcs11-helper (Ubuntu Jammy): status |
New |
Fix Committed |
|
2022-05-24 23:12:42 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-05-24 23:12:44 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2022-05-24 23:12:46 |
Brian Murray |
tags |
rls-jj-incoming upgrade-software-version |
rls-jj-incoming upgrade-software-version verification-needed verification-needed-jammy |
|
2022-05-25 08:28:27 |
Lorenz Schwittmann |
tags |
rls-jj-incoming upgrade-software-version verification-needed verification-needed-jammy |
rls-jj-incoming upgrade-software-version verification-done-jammy verification-needed |
|
2022-05-30 07:37:14 |
Sebastien Bacher |
tags |
rls-jj-incoming upgrade-software-version verification-done-jammy verification-needed |
upgrade-software-version verification-done verification-done-jammy |
|
2022-06-01 01:38:42 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-06-01 01:41:33 |
Launchpad Janitor |
pkcs11-helper (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|