Project

General

Profile

Actions
Copy link

Feature #9878

closed

IPsec PKCS#11 authentication

Added by Viktor Gurov over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
IPsec
Target version:
2.5.0
Start date:
11/03/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Add ability to select and configure PKCS#11 RSA authentication in WebGUI

you need to install packages: ccid-1.4.30.txz, opensc-0.19.0.txz, pcsc-lite-1.8.24,2.txz + dependencies
and uncomment in /usr/local/etc/strongswan.d/charon/pkcs11.conf:

modules {
        opensc {
            load_certs = yes
            path = /usr/local/lib/opensc-pkcs11.so
        }
    }

add <earlyshellcmd>/usr/local/sbin/pcscd</earlyshellcmd> in /cf/conf/config.xml above </system>

successfully tested with Aktiv Co. Rutoken ECP: https://github.com/OpenSC/OpenSC/wiki/Aktiv-Co.-Rutoken-ECP
failed with Alladin eToken PRO 72K Java (uses proprietary pkcs11 library, not available for bsd): https://github.com/OpenSC/OpenSC/wiki/Aladdin-eToken-PRO

tested on pfSense 2.5.0.a.20191028.1945 (SG-1000)
IPsec tunnel with pfSense 2.4.4-p3

also see https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards for reference

WARNING! test it only when pcscd daemon is running, or charon will flood your logs!

Files

Screenshot from 2019-11-03 17-54-54.png (48.3 KB) Screenshot from 2019-11-03 17-54-54.png WebGUI options Viktor Gurov, 11/03/2019 08:56 AM
Actions
Copy link

Also available in: Atom PDF