Hi,
I’m trying to connect to an openvpn server running on an opnsense using an Nitrokey Pro. I’m getting the following error:
Enter OpenPGP card (User PIN) token Password: ******
2024-03-25 14:36:58 PKCS#11: Cannot perform signature 112:‘CKR_MECHANISM_INVALID’
2024-03-25 14:36:58 OpenSSL: error:0A080006:SSL routines::EVP lib
2024-03-25 14:36:58 TLS_ERROR: BIO read tls_read_plaintext error
2024-03-25 14:36:58 TLS Error: TLS object → incoming plaintext read error
2024-03-25 14:36:58 TLS Error: TLS handshake failed
Versions Server:
opnsense 24.1.4
openssl 3.0.13
openvpn 2.6.9
Versions Linux Client:
linuxmint 21.3
openssl 3.0.2-0ubuntu1.15
openvpn 2.5.9-0ubuntu0.22.04.2
opensc 0.22.0-1ubuntu2
Same happens with Windows using the viscosity vpn client:
Mrz 25 2:12:05 PM: Status auf Authenticating geändert
Mrz 25 2:12:09 PM: ERROR: An unknown error occured while trying to logon to this token. Please contact your device provider for further assistance.
Method C_SignInit returned CKR_MECHANISM_INVALID Retrying…
Mrz 25 2:12:12 PM: Status auf Trenne Verbindung (PKCS#11 Cancel) geändert
Mrz 25 2:12:12 PM: ERROR: PKCS#11 signing failed.
Mrz 25 2:12:12 PM: OpenSSL: error:0A080006:SSL routines::EVP lib:
Mrz 25 2:12:12 PM: TLS_ERROR: BIO read tls_read_plaintext error
Mrz 25 2:12:12 PM: TLS Error: TLS object → incoming plaintext read error
Mrz 25 2:12:12 PM: TLS Error: TLS handshake failed
Versions Windows client:
windows 11 home
viscosity 1.11
opensc 0.25.0
Asking google, the problem seems to be, that current versions of openvpn and openssl use TLS 1.3 and this requires RSA-PSS, which might not be supported by the NitroKey?
On Linux, it works when by downgrading the connection to TLS1.2 in the openssl.cnf:
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256"
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
I don’t think, this is a good solution and on windows I didn’t find a way to force the viscosity client to use TLS1.2 at all. I also don’t see a way to force the server to use TLS1.2, since opnsense apparently has no config option for this.
Is there a way to use the NitroKey in this scenario with TLS1.3?