Yubikey PKCS11 not working since last macOS update

Got a problem with Viscosity or need help? Ask here!

freerk

Posts: 2
Joined: Wed Jun 12, 2024 6:54 pm

Post by freerk » Wed Jun 12, 2024 9:06 pm
Hi,

We have a PKCS#11 setup and are getting this error since the last macOS upgrade.

```
2024-06-11 13:17:58: Viscosity Mac 1.11.2 (1691)
2024-06-11 13:17:58: Viscosity OpenVPN Engine Started
2024-06-11 13:17:58: Running on macOS 14.5
2024-06-11 13:17:58: ---------
2024-06-11 13:17:58: State changed to Connecting
2024-06-11 13:17:58: Checking reachability status of connection...
2024-06-11 13:17:58: Connection is reachable. Starting connection attempt.
2024-06-11 13:17:58: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-06-11 13:17:58: OpenVPN 2.6.10 aarch64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2024-06-11 13:17:58: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-06-11 13:17:58: PKCS#11: Adding PKCS#11 provider '/Library/OpenSC/lib/opensc-pkcs11.so'
2024-06-11 13:17:58: Resolving address: officevpn.ham1.de.scaleuptech.com
2024-06-11 13:17:58: Resolving address: officevpn.ham1.de.scaleuptech.com
2024-06-11 13:17:58: Valid endpoint found: 85.158.4.2:443:tcp-client
2024-06-11 13:17:58: TCP/UDP: Preserving recently used remote address: [AF_INET]85.158.4.2:443
2024-06-11 13:17:58: Attempting to establish TCP connection with [AF_INET]85.158.4.2:443
2024-06-11 13:17:58: TCP connection established with [AF_INET]85.158.4.2:443
2024-06-11 13:17:58: TCPv4_CLIENT link local (bound): [AF_INET][undef]:0
2024-06-11 13:17:58: TCPv4_CLIENT link remote: [AF_INET]85.158.4.2:443
2024-06-11 13:17:58: State changed to Authenticating
2024-06-11 13:17:58: OpenSSL: error:0A080006:SSL routines::EVP lib:
2024-06-11 13:17:58: TLS_ERROR: BIO read tls_read_plaintext error
2024-06-11 13:17:58: TLS Error: TLS object -> incoming plaintext read error
2024-06-11 13:17:58: TLS Error: TLS handshake failed
2024-06-11 13:17:58: Fatal TLS error (check_tls_errors_co), restarting
2024-06-11 13:17:58: SIGTERM[soft,tls-error] received, process exiting
2024-06-11 13:17:58: State changed to Disconnected (Process Terminated)
2024-06-11 13:17:58: Delaying connection reconnect attempt by 600 seconds
```

Any help is appreciated

James

User avatar
Posts: 2379
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Jun 13, 2024 1:38 pm
Hi freerk,

There are no known issues with the latest version of Viscosity and PKCS#11. I recommend making sure the version of OpenSC you are using is up-to-date, as they have released a few new versions over the past couple of months.

Another alternative is to make use of Viscosity’s System Identity authentication feature. It uses macOS’s inbuilt token support (instead of needing a PKCS#11 driver). To use this, edit your connection in Viscosity, click the Authentication tab, change the Authentication Type to “SSL/TLS Client (System Identity)”, and under System Identity click the small “+” icon while your token is plugged in and select the identity on your token (Viscosity will list all Keychain and token identities). Make sure a CA file is selected, Save the changes, and try connecting.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com

freerk

Posts: 2
Joined: Wed Jun 12, 2024 6:54 pm

Post by freerk » Thu Jun 13, 2024 7:04 pm
Hi James,

Interestingly, after installing OpenVPN-Connect (another client), Viscosity started to work again with PKCS#11. Very cusious how that all works together, I'm assuming OpenVPN-Connect changed some underlying binaries?

Anyways, I'll try do some more troubleshooting and maybe post the outcome here, if I find anything. Thank you for your help so far!
3 posts Page 1 of 1