SafeNet token

Got a problem with Viscosity or need help? Ask here!

mobhz

Posts: 4
Joined: Sun Mar 22, 2020 10:52 pm

Post by mobhz » Mon Mar 23, 2020 1:02 am
I have a SafeNet token (model 5110). It works on Firefox with the /usr/local/lib/libeTPkcs11.dylib driver. It also works on Chrome. I configured the viscosity to use the same driver, but it didn't work. The fllowing message is shown on clicking Detect button in PKCS11 authentication type:

"No PKCS11 names could be detected. Please make sure the providor information is correct, the device is connected, and that it is not currently in use by a VPN connection."

When I try to connect, no error is shown. See in the log below (with "verb 7" option) that after "PKCS#11: Adding PKCS#11 provider '/usr/local/lib/libeTPkcs11.dylib'" the connection state is changed to Disconnected and the connection process restart . This is repeated infinitely. What could be happening?

Thank you in advanced.

2020-03-22 10:19:47: OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 22 2020
2020-03-22 10:19:47: library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10
2020-03-22 10:19:48: PKCS#11: Adding PKCS#11 provider '/usr/local/lib/libeTPkcs11.dylib'
2020-03-22 10:19:48: PKCS#11: Adding provider '/usr/local/lib/libeTPkcs11.dylib'-'/usr/local/lib/libeTPkcs11.dylib'
2020-03-22 10:19:48: State changed to Disconnected
2020-03-22 10:19:48: Delaying connection reconnect attempt by 60 seconds
2020-03-22 10:20:53: Viscosity Mac 1.8.5b5 (1533)
2020-03-22 10:20:53: Viscosity OpenVPN Engine Started
2020-03-22 10:20:53: Running on macOS 10.15.3
2020-03-22 10:20:53: ---------
2020-03-22 10:20:53: State changed to Connecting
2020-03-22 10:20:53: Checking reachability status of connection...

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Mar 23, 2020 2:35 am
Hi mobhz,

The fault lies with the Safenet PKCS#11 driver: it no longer links to a valid version of macOS’s OpenSSL libraries, and so it crashes when OpenVPN attempts to use it under macOS 10.15.

This only started occurring in macOS 10.15 recently as Apple implemented increased security requirements for applications, and only applies to applications adhering to these new security requires (like the hardened runtime), which Viscosity does adhere to. The driver will still work with applications that do not meet these requirements (they'll eventually be forced to), or applications that bundle a legacy version of OpenSSL into the same process loading the driver.

Gemalto recently released an updated version of their driver that may resolve the issue. I’m afraid we do not have a copy of this driver to test with to let you know either way, but your IT administrator should be able to provide you with the latest version so you can see whether the issue persists.
https://data-protection-updates.gemalto ... ouncement/

If you're still stuck, you can fix the Safenet driver by running the following command in the Terminal:
Code: Select all
 ln -s /usr/lib/libcrypto.44.dylib /Library/Frameworks/eToken.framework/Versions/Current/libcrypto.dylib

For more information please see the following forum topic:
viewtopic.php?f=3&t=2789

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mobhz

Posts: 4
Joined: Sun Mar 22, 2020 10:52 pm

Post by mobhz » Tue Apr 21, 2020 6:49 am
Hi James,
With the latest beta version of Viscosity, my token was recognized. However, after entering the password, the connection is not completed. I'm getting the following error:

2020-04-20 17:39:59: State changed to Authenticating
2020-04-20 17:40:24: PKCS#11: Cannot perform signature 112:'CKR_MECHANISM_INVALID'
2020-04-20 17:40:24: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-04-20 17:40:24: TLS_ERROR: BIO read tls_read_plaintext error
2020-04-20 17:40:24: TLS Error: TLS object -> incoming plaintext read error
2020-04-20 17:40:24: TLS Error: TLS handshake failed
2020-04-20 17:40:24: SIGTERM received, sending exit notification to peer
2020-04-20 17:40:24: SIGTERM[soft,tls-error] received, process exiting
2020-04-20 17:40:24: State changed to Disconnected

Any idea what it might be?

Thank you.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Apr 24, 2020 1:32 pm
Hi mobhz,

I'm afraid we'll need more information to figure out what is going on: Do you receive the same error with the latest stable version (1.8.5) of Viscosity? Did the workaround posted above for version 1.8.4 previously allow you to connect? Are you able to share any details about the identity stored on the token (such as whether it is using RSA or EC)? Finally, do you know what version of the SafeNet Authentication Client you have installed?

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mobhz

Posts: 4
Joined: Sun Mar 22, 2020 10:52 pm

Post by mobhz » Sat Apr 25, 2020 2:27 am
James,

Do you receive the same error with the latest stable version (1.8.5) of Viscosity?
Yes

Did the workaround posted above for version 1.8.4 previously allow you to connect?
No. The error is exactly the same: "PKCS#11: Cannot perform signature 112:'CKR_MECHANISM_INVALID'"

Are you able to share any details about the identity stored on the token (such as whether it is using RSA or EC)?
Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
Public Key Info:
-> Algorithm: RSA Encryption ( 1.2.840.113549.1.1.1 )
-> Key Size: 2048

do you know what version of the SafeNet Authentication Client you have installed?
10.2 (10.2.97.0)
Link: https://www2.swift.com/3skey/help/mac_support.html

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Apr 27, 2020 9:18 pm
Hi mobhz,

Thanks for the additional information.

We've managed to replicate the issue and figure out what is happening. I've included some technical details of what is going on below, along with a work-around so you can connect again.

Technical Details:

It appears the problem is that the SafeNet driver you're using (we tested with the same version) doesn't support using Raw RSA encryption for signing. Signing is the process of using the private key on your PKCS#11 token as part of the authentication process. OpenSSL (version1.1.1) uses raw mode for signing when using TLS 1.2 or TLS 1.3, as this supports more modern and secure padding (which are part of the TLS 1.3 spec).

Instead the SafeNet driver appears to only supports an older padding option which is used by older TLS versions (1.1 and earlier). It's not surprising that this is the case, as the SafeNet driver links to an old version of OpenSSL included with macOS (which doesn't support TLS 1.3). However it's also possible Raw RSA might be supported but disabled, or not match supported key sizes. It's worth noting that this only appears to apply to the macOS version of the driver, as the Windows version of the SafeNet driver handled Raw RSA encryption for signing in our testing.

Work-around

As for working around this issue, I have two suggestions:

1. Version "10.2 Post GA" (10.2.97.0) of the SafeNet driver is not the latest version. I recommend asking your provider for the latest version "10.2 Post GA R2". At the very least this version has better support for macOS 10.15, and may also resolve this issue.

2. If the latest SafeNet driver doesn't resolve the problem, you can work-around it by setting your VPN connection to use TLS 1.1 instead. To do this, add the command "tls-version-max 1.1" (without the quotes) to the Advanced Commands area for your connection:
https://www.sparklabs.com/support/kb/ar ... n-commands

In the meantime we'll continue to look into it and see if there are any work-arounds we can put in place.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mobhz

Posts: 4
Joined: Sun Mar 22, 2020 10:52 pm

Post by mobhz » Tue Apr 28, 2020 2:57 am
James,
I am not able to download the newest version of the SafeNet driver. So I used your second suggestion and it worked very well. That's enough for me. Thank you very match for the help.

Marcelo.
7 posts Page 1 of 1