On Mon, Oct 13, 2008 at 14:53:35 +0200, Andreas Barth wrote:
> [EMAIL PROTECTED]:~$ dpkg -l openvpn
> [...]
> hi openvpn 2.1~rc11-1 virtual private network daemon
Version 2.1~rc11-1 works fine for me with a pkcs11-based eToken.
> [EMAIL PROTECTED]:~$ openvpn --config /etc/openvpn/vpn.conf
> Options error: Unrecognized option or missing parameter(s) in
> /etc/openvpn/vpn.conf:130: pkcs11-id-type (2.1_rc11)
> Use --help for more information.
>
> The following keywords seem to be no longer understood:
> pkcs11-id-type
> pkcs11-slot-type
> pkcs11-slot
I don't think that this is a bug; it seems that these options (and some
others) were obsoleted when upstream switched from their own pkcs11 code
to using the pkcs11-helper library. (My initial report, and maybe also
my subsequent messages, might not have been clear enough about this
point.)
I propose to alert the user and explain the necessary changes to the
configuration file in NEWS.Debian.gz. I have included a draft for such a
notice below.
------------------------------------------------------------------------
The openvpn utility changed its handling of pkcs11 certificates when it
switched from built-in code to the pkcs11-helper library (package
libpkcs11-helper1 on Debian). This means that you will have to update
your openvpn configuration files if you are using such certificates. For
example, a stanza in a configuration file might previously have referred
to a given pkcs11 certificate like this:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-slot-type id
pkcs11-slot 0
pkcs11-id-type label
pkcs11-id "YOUR_LABEL"
This stanza has to be rewritten now in the following way:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-id 'YOUR_PKCS11_SERIALIZED_ID'
The pkcs11-slot, pkcs11-slot-type, pkcs11-id-type options are obsolete;
a long ID string that is unique for each certificate is now used as the
only identifier. Note that YOUR_PKCS11_SERIALIZED_ID will almost
certainly be different from YOUR_LABEL that you used previously with the
pkcs11-id option. To find out the correct serialized ID(s) for your
certificate(s), you have to query the pkcs11-provider library:
$ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Certificate
DN: /CN=YOUR_USER
Serial: SERIAL_NUMBER
Serialized id: YOUR_PKCS11_SERIALIZED_ID
You have to paste YOUR_PKCS11_SERIALIZED_ID as seen in this output into
your openvpn configuration file and make sure that the string is
enclosed in single quotation marks.
The example above assumes that your cryptographic token can be accessed
via the opensc-pkcs11.so library from libopensc2. If you have to use
another library, for example a proprietary driver from the vendor of
your token, then you have to adapt both the stanza in the configuration
file and the path given on the command line accordingly.
------------------------------------------------------------------------
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
