Feature #9878
closed
IPsec PKCS#11 authentication
100%
Description
Add ability to select and configure PKCS#11 RSA authentication in WebGUI
you need to install packages: ccid-1.4.30.txz, opensc-0.19.0.txz, pcsc-lite-1.8.24,2.txz + dependencies
and uncomment in /usr/local/etc/strongswan.d/charon/pkcs11.conf:
modules {
opensc {
load_certs = yes
path = /usr/local/lib/opensc-pkcs11.so
}
}
add <earlyshellcmd>/usr/local/sbin/pcscd</earlyshellcmd> in /cf/conf/config.xml above </system>
successfully tested with Aktiv Co. Rutoken ECP: https://github.com/OpenSC/OpenSC/wiki/Aktiv-Co.-Rutoken-ECP
failed with Alladin eToken PRO 72K Java (uses proprietary pkcs11 library, not available for bsd): https://github.com/OpenSC/OpenSC/wiki/Aladdin-eToken-PRO
tested on pfSense 2.5.0.a.20191028.1945 (SG-1000)
IPsec tunnel with pfSense 2.4.4-p3
also see https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards for reference
WARNING! test it only when pcscd daemon is running, or charon will flood your logs!
Files
| Screenshot from 2019-11-03 17-54-54.png (48.3 KB) Screenshot from 2019-11-03 17-54-54.png | WebGUI options |
Updated by Viktor Gurov about 5 years ago
Updated by Jim Pingle about 5 years ago
- Status changed from New to Pull Request Review
- Target version deleted (
2.5.0)
Updated by Viktor Gurov almost 5 years ago
for today only CheckPoint support PKCS#11 tokens
most of other vendors (Palo Alto, Riverbed, Huawei, Fortinet, F5) supports only HSM,
some of them supports PKCS#11 only by clients hosts (Fortinet, Sophos)
Updated by Renato Botelho almost 5 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.5.0
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov almost 5 years ago
- Status changed from Feedback to Resolved
Renato Botelho wrote:
PR has been merged. Thanks!
tested on pfSense 2.5.0.a.20191223.2203 with Yubikey 4 (FIPS)
works as expected,
Resolved