Project

General

Profile

Feature #9878

IPsec PKCS#11 authentication

Added by Viktor Gurov 12 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/03/2019
Due date:
% Done:

100%

Estimated time:

Description

Add ability to select and configure PKCS#11 RSA authentication in WebGUI

you need to install packages: ccid-1.4.30.txz, opensc-0.19.0.txz, pcsc-lite-1.8.24,2.txz + dependencies
and uncomment in /usr/local/etc/strongswan.d/charon/pkcs11.conf:

modules {
        opensc {
            load_certs = yes
            path = /usr/local/lib/opensc-pkcs11.so
        }
    }

add <earlyshellcmd>/usr/local/sbin/pcscd</earlyshellcmd> in /cf/conf/config.xml above </system>

successfully tested with Aktiv Co. Rutoken ECP: https://github.com/OpenSC/OpenSC/wiki/Aktiv-Co.-Rutoken-ECP
failed with Alladin eToken PRO 72K Java (uses proprietary pkcs11 library, not available for bsd): https://github.com/OpenSC/OpenSC/wiki/Aladdin-eToken-PRO

tested on pfSense 2.5.0.a.20191028.1945 (SG-1000)
IPsec tunnel with pfSense 2.4.4-p3

also see https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards for reference

WARNING! test it only when pcscd daemon is running, or charon will flood your logs!

Screenshot from 2019-11-03 17-54-54.png (48.3 KB) Screenshot from 2019-11-03 17-54-54.png WebGUI options Viktor Gurov, 11/03/2019 08:56 AM

Associated revisions

Revision 50ceeac3 (diff)
Added by Renato Botelho 11 months ago

Ticket #9878: Add OPTIONS for opensc

History

#2 Updated by Jim Pingle 12 months ago

  • Status changed from New to Pull Request Review
  • Target version deleted (2.5.0)

#3 Updated by Viktor Gurov 11 months ago

for today only CheckPoint support PKCS#11 tokens

most of other vendors (Palo Alto, Riverbed, Huawei, Fortinet, F5) supports only HSM,
some of them supports PKCS#11 only by clients hosts (Fortinet, Sophos)

#4 Updated by Renato Botelho 11 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#5 Updated by Viktor Gurov 10 months ago

  • Status changed from Feedback to Resolved

Renato Botelho wrote:

PR has been merged. Thanks!

tested on pfSense 2.5.0.a.20191223.2203 with Yubikey 4 (FIPS)

works as expected,
Resolved

Also available in: Atom PDF