Quote:
No it doesn't.
Hmmm...
This is what happens when I try OpenVPN with OTP+CCID+U2F enabled:
Code:
user@host:~$ /usr/sbin/openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
(Nothing is reported)
Trying to start OpenVPN:
Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:39:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Mon Nov 24 16:39:22 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:
(and yes, the Yubikey was inserted)
And here is what happens when I run exactly the same commands with only OTP+CCID enabled:
Code:
user@host:~$ /usr/sbin/openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Certificate
DN: O=..., OU=..., CN=client
Serial: 0E
Serialized id: piv_II/...
(The certificate I've stored with the PIV applet is described)
Successfully starting OpenVPN:
Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:41:32 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Mon Nov 24 16:41:32 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Mon Nov 24 16:41:32 2014 UDPv4 link local: [undef]
Mon Nov 24 16:41:32 2014 UDPv4 link remote: [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Mon Nov 24 16:41:32 2014 VERIFY OK: nsCertType=SERVER
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Enter PIV_II (PIV Card Holder pin) token Password:
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Nov 24 16:41:40 2014 [server] Peer Connection Initiated with [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:43 2014 TUN/TAP device tun0 opened
Mon Nov 24 16:41:43 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 24 16:41:43 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 24 16:41:43 2014 /sbin/ip addr add dev tun0 local 10.8.0.46 peer 10.8.0.45
Mon Nov 24 16:41:45 2014 Initialization Sequence Completed
(Here OpenVPN starts up as expected)
Looks like the PIV applet doesn't work with OTP+CCID+U2F to me!