Page 1 of 1

Cannot connect with PKCS11 token under Mojave (Mac OS 10.14)

Posted: Thu Oct 18, 2018 5:06 pm
by matsimoto
Hi,

I use an Athena ID Protect to access the intranet of my company. It works for years but has stopped working after the Mojave update.

ssh with this token is still working, but when I try to open the VPN with Viscosity I get this in the logs:

---- LOG ----
2018-10-18 07:50:44: Viscosity Mac 1.7.11 (1463)
2018-10-18 07:50:44: Viscosity OpenVPN Engine Started
2018-10-18 07:50:44: Running on macOS 10.14.0
2018-10-18 07:50:44: ---------
2018-10-18 07:50:44: State changed to verbinde
2018-10-18 07:50:44: Checking reachability status of connection...
2018-10-18 07:50:45: Connection is reachable. Starting connection attempt.
2018-10-18 07:50:45: OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 20 2018
2018-10-18 07:50:45: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-10-18 07:50:46: PKCS#11: Adding PKCS#11 provider '/Library/Application Support/Athena/libASEP11.dylib'
2018-10-18 07:50:46: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-10-18 07:50:46: PKCS#11: Cannot get certificate object
2018-10-18 07:50:46: PKCS#11: Cannot get certificate object
2018-10-18 07:50:46: PKCS#11: Unable get evp object
2018-10-18 07:50:46: Cannot load certificate "Athena\x20Smartcard\x20Solutions/IDProtect/015...7918/user/7B3561...377D" using PKCS#11 interface
2018-10-18 07:50:46: SIGUSR1[soft,private-key-password-failure] received, process restarting
2018-10-18 07:50:46: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-10-18 07:50:49: State changed to Disconnecting
2018-10-18 07:50:49: PKCS#11: Cannot get certificate object
2018-10-18 07:50:49: PKCS#11: Cannot get certificate object
2018-10-18 07:50:49: PKCS#11: Unable get evp object
2018-10-18 07:50:49: Cannot load certificate "Athena\x20Smartcard\x20Solutions/IDProtect/015...7918/user/7B3561...377D" using PKCS#11 interface
2018-10-18 07:50:49: SIGUSR1[soft,private-key-password-failure] received, process restarting
2018-10-18 07:50:49: Viscosity Mac 1.7.11 (1463)
2018-10-18 07:50:49: Viscosity OpenVPN Engine Started
2018-10-18 07:50:49: Running on macOS 10.14.0
2018-10-18 07:50:49: ---------
2018-10-18 07:50:49: State changed to verbinde
2018-10-18 07:50:50: State changed to Disconnecting
2018-10-18 07:50:50: SIGTERM[hard,init_instance] received, process exiting
2018-10-18 07:50:50: State changed to getrennt
2018-10-18 07:51:07: Viscosity Mac 1.7.11 (1463)
2018-10-18 07:51:07: Viscosity OpenVPN Engine Started
2018-10-18 07:51:07: Running on macOS 10.14.0
2018-10-18 07:51:07: ---------

Re: Cannot connect with PKCS11 token under Mojave (Mac OS 10.14)

Posted: Wed Oct 24, 2018 11:21 pm
by James
Hi matsimoto,

We've just tested a number of PKCS#11 tokens under macOS 10.14, and didn't encounter any problems using them with Viscosity. It likely means that the PKCS#11 driver being used are not fully compatible with macOS 10.14. I recommend getting in touch with the manufacture and checking whether the drivers have been tested under the latest version of macOS.

It's also possible the certificate name representation could have changed under running under macOS 10.14. If you are using a fixed name (i.e. the PKCS11 Retrieval option for your connection is set to "Use certificate name below"), try hitting the Detect button with the token connected and see if your certificate/s are listed under a slightly different name. Or try connecting using the "Prompt for certificate name" option instead.

As an alternative you may like to see whether the OpenSC drivers are compatible with your device. OpenSC is a generic driver designed to work with a large number of PKCS#11 devices from varying manufactures. We have tested OpenSC with a number of the tokens we use for testing, and didn't run into any problems under macOS 10.14 (using OpenSC version 0.19.0).

Cheers,
James