chadw75 / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

openvpn on OS X hangs while connecting with PKCS#11 #131

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Everything seems to work ok while connecting until openvpn hands when trying to 
setup the ip 
address on the tun interface.
The tun interface is created but still in down state, the last thing in the 
openvpn log is
/sbin/ifconfig tun0 x.x.x.x y.y.y.y netmask 255.255.255.255 mtu 1500 up and
"Getting Configuartion" as status in the GUI

What is the expected output? What do you see instead?

What version of Tunnelblick are you using? On what version of OS X? PPC or 
Intel?
Tunnelblick 3.0b24 on Intel OS X Snow Leopard 10.6.2

Please provide any additional information below.
Seems like the pkcs11 library from opensc's SCA-0.2.7 tries to talk to the 
built in pcscd daemon
and if I kill the daemon the connection gets established successfully.

Original issue reported on code.google.com by nde...@gmail.com on 21 Dec 2009 at 2:21

GoogleCodeExporter commented 9 years ago
Same problem with Tunnelblick built from source (rev 314). Hangs at:

2009-12-21 22:49:14 SENT CONTROL [xxx.xxx.xxx.xxx]: 'PUSH_REQUEST' (status=1)

And when pcscd is killed the process continues normally and establishes a 
connection.

Original comment by georgi.k...@gmail.com on 21 Dec 2009 at 8:51

GoogleCodeExporter commented 9 years ago
Actually this is not Tunnelblick issue. Same happens when doing openvpn in 
terminal.
I have been struggling with this problem for months now. Thanks for the comment 
of this issue I can finally 
establish vpn connection. Unfortunately connection is killed after 10 minutes, 
even if I restart pcscd after 
connection has been established. Hope someone resolves this.

Original comment by markus.u...@gmail.com on 6 Jan 2010 at 4:13

GoogleCodeExporter commented 9 years ago
Is there any light glowing from the end of the tunnel? :)
Or can anybody tell why my connection drops exactly after 10 minutes?

Original comment by markus.u...@gmail.com on 26 Feb 2010 at 10:49

GoogleCodeExporter commented 9 years ago
Does it work with Tunnelblick version 3.0b14? That was the first version that 
supported PKCS#11. Later versions 
of Tunnelblick had different versions of OpenVPN.

Original comment by jkbull...@gmail.com on 27 Feb 2010 at 12:18

GoogleCodeExporter commented 9 years ago

Original comment by jkbull...@gmail.com on 31 Oct 2010 at 12:46

GoogleCodeExporter commented 9 years ago
Issue still exist in Tunnelblick 3.2.3 and Mac OS X 10.7.3

Original comment by maci...@gmail.com on 4 Feb 2012 at 3:41

GoogleCodeExporter commented 9 years ago
Does it work with Tunnelblick version 3.0b14? That was the first version that 
supported PKCS#11. Later versions 
of Tunnelblick had different versions of OpenVPN.

Original comment by jkbull...@gmail.com on 4 Feb 2012 at 1:26

GoogleCodeExporter commented 9 years ago
Unable to test:

2012-04-18 08:49:58 Tunnelblick 3 (3.0b14 build 573); OpenVPN 2 (2.1_rc15)
2012-04-18 08:50:19 SUCCESS: pid=6391
2012-04-18 08:50:19 SUCCESS: real-time state notification set to ON
2012-04-18 08:50:19 SUCCESS: real-time log notification set to ON
2012-04-18 08:50:19 OpenVPN 2.1_rc15 i386-apple-darwin9.8.0 [SSL] [LZO2] 
[PKCS11] built on Aug 10 2009
2012-04-18 08:50:19 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2012-04-18 08:50:19  waiting...
2012-04-18 08:50:19 MANAGEMENT: Client connected from 127.0.0.1:1337
2012-04-18 08:50:19 END
2012-04-18 08:50:19 SUCCESS: hold release succeeded
2012-04-18 08:50:19 PKCS#11: Adding PKCS#11 provider 
'/Library/OpenSC/lib/opensc-pkcs11.so'
2012-04-18 08:50:29 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-04-18 08:50:29 Control Channel Authentication: using 
'/Users/roy/Library/Application Support/Tunnelblick/Configurations/ta.key' as a 
OpenVPN static key file
2012-04-18 08:50:29 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2012-04-18 08:50:29 Incoming Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2012-04-18 08:50:29 LZO compression initialized
2012-04-18 08:50:29 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 
EL:0 ]
2012-04-18 08:50:29 
2012-04-18 08:50:29 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 
EL:0 AF:3/1 ]
2012-04-18 08:50:29 Local Options hash (VER=V4): 'ee93268d'
2012-04-18 08:50:29 Expected Remote Options hash (VER=V4): 'bd577cd1'
2012-04-18 08:50:29 Attempting to establish TCP connection with 
************:1194 [nonblock]
2012-04-18 08:50:29 
2012-04-18 08:50:30 TCP connection established with ************:1194
2012-04-18 08:50:30 Socket Buffers: R=[525624->65536] S=[131768->65536]
2012-04-18 08:50:30 TCPv4_CLIENT link local: [undef]
2012-04-18 08:50:30 TCPv4_CLIENT link remote: ************:1194
2012-04-18 08:50:30 
2012-04-18 08:50:30 
2012-04-18 08:50:30  sid=9c27ad41 61afd230
2012-04-18 08:50:30  
/C=NL/ST=NH/L=Amsterdam/O=********/CN=********/emailAddress=********
2012-04-18 08:50:30 VERIFY OK: nsCertType=SERVER
2012-04-18 08:50:30  
/C=NL/ST=NH/L=Amsterdam/O=********/CN=********/emailAddress=********
2012-04-18 08:50:37  but not yet verified
2012-04-18 08:50:38 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 
bit key
2012-04-18 08:50:38 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-04-18 08:50:38 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 
bit key
2012-04-18 08:50:38 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-04-18 08:50:38  1024 bit RSA
2012-04-18 08:50:38 [server] Peer Connection Initiated with ************:1194
2012-04-18 08:50:39 
2012-04-18 08:50:39 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2012-04-18 08:50:39 ifconfig 10.9.0.10 10.9.0.9'
2012-04-18 08:50:39 OPTIONS IMPORT: timers and/or timeouts modified
2012-04-18 08:50:39 OPTIONS IMPORT: --ifconfig/up options modified
2012-04-18 08:50:39 OPTIONS IMPORT: route options modified
2012-04-18 08:50:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2012-04-18 08:50:39 ROUTE default_gateway=192.168.1.1
2012-04-18 08:50:39 Cannot open TUN/TAP dev /dev/tun1: No such file or 
directory (errno=2)

/dev/tun1 isn't created properly, as commands have been changed over time, I 
quess.

Original comment by r...@eflicta.nl on 18 Apr 2012 at 6:57

GoogleCodeExporter commented 9 years ago
Not sure if this is related. Running PCSCD with debugging, I see the following 
when Tunnelblick/openvpn hangt on "retrieving IP configuration".

==> SHMMessageSend:
12 34 56 78 00 00 01 50 00 00 00 F1 00 00 00 00 00 00 00 00 00 00 00 11 4F 8F 
C0 BE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 6B 68 
00 00 00 02 00 00 00 08 00 00 00 17 00 00 00 00
/SourceCache/SmartCardServices/SmartCardServices-55000/src/PCSC/winscard_msg.cpp
:119:SHMClientReadMessage() SHMClientReadMessage: Issuing read for 48 bytes 
(header)
/SourceCache/SmartCardServices/SmartCardServices-55000/src/PCSC/winscard_msg.cpp
:500:SHMMessageReceive() SHMMessageReceive errno: 0x0000003C: Operation timed 
out
/SourceCache/SmartCardServices/SmartCardServices-55000/src/PCSC/winscard_msg.cpp
:501:SHMMessageReceive() SHMMessageReceive retval: 0x00000000, bytes read: 48

I think "0x0000003C: Operation timed out" is the issue here?

Original comment by r...@eflicta.nl on 19 Apr 2012 at 7:41

GoogleCodeExporter commented 9 years ago
It's an openvpn issue - https://community.openvpn.net/openvpn/ticket/92 . I can 
confirm that --script-security 2 system makes it work with openvpn 2.2. 
Unfortunately tunnelblick seems to ignore it if specified in config file and 
system() support is removed from openvpn 2.3 at all.

Original comment by hasso.te...@gmail.com on 25 Jan 2013 at 7:26