OpenVPN can use smart cards instead of --key/cert which works great for me
via --pkcs11-id '...' with values from 'openvpn --show-pkcs11-ids | grep id:'
on the client and no further config; the server needs no changes.
See openvpn(8) "PKCS#11 / SmartCard options" for more.
New dependency:
Information for inst:pkcs11-helper-1.30.0
Comment:
library with PKCS
Required by:
openvpn-2.6.12p0
Description:
pkcs11-helper allows using multiple PKCS#11 providers at the same
time, enumerating available token certificates, or selecting a
certificate directly by serialized id, handling card removal and
card insert events, handling card re-insert to a different
slot, supporting session expiration and much more all using a
simple API.
pkcs11-helper is not designed to manage card content, since object
attributes are usually vendor specific, and 99% of application need
to access existing objects in order to perform signature and
decryption.
Maintainer: Klemens Nanni <kn@openbsd.org>
WWW: https://github.com/OpenSC/pkcs11-helper
It can use different TLS implementations - I explictly enabled LibreSSL
alone and left OpenVPN's FLAVOR=mbedtls unchanged as I don't use that.
Feedback? OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.130 Makefile
--- Makefile 21 Dec 2024 11:38:33 -0000 1.130
+++ Makefile 30 Dec 2024 23:16:33 -0000
@@ -26,6 +26,8 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/
LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
CONFIGURE_ARGS+=--with-openssl-engine=no
+SEPARATE_BUILD= Yes
+
DEBUG_PACKAGES= ${BUILD_PACKAGES}
FLAVORS= mbedtls
@@ -36,7 +38,14 @@ LIB_DEPENDS+= security/polarssl
CONFIGURE_ARGS+= --with-crypto-library=mbedtls
WANTLIB += mbedcrypto mbedtls mbedx509 pthread
.else
-WANTLIB += crypto ssl
+REVISION= 0
+LIB_DEPENDS+= security/pkcs11-helper
+# dlopen()s p11-kit-proxy.so
+BUILD_DEPENDS+= security/p11-kit
+RUN_DEPENDS+= security/p11-kit
+CONFIGURE_ARGS+= --enable-pkcs11
+WANTLIB += pthread pkcs11-helper
+WANTLIB += crypto ssl pkcs11-helper
.endif
SAMPLES_DIR= ${PREFIX}/share/examples/openvpn
No comments:
Post a Comment