[pkg-opensc-maint] Bug#907452: OpenVPN deadlock when adding PKCS#11 provider (fix proposed)

Cédric Dufour - Idiap Research Institute cedric.dufour at idiap.ch
Tue Aug 28 08:03:46 BST 2018

Package: libpkcs11-helper1
Version: 1.24-1


In addition to OpenVPN deadlocking at PIN prompt as reported in debian bug #772812 (solved by adding a few patches):


OpenVPN will *also* deadlock when adding the PKCS#11 provider(s), before any PIN prompt attempt:


I managed to work around that issue in pkcs11-helper by:
- including patch https://github.com/OpenSC/pkcs11-helper/commit/9b8debf331d7bd5eda1fa6feb322c0e31657e9b5 (incl. in version 1.25)
- including patch https://github.com/OpenSC/pkcs11-helper/commit/4ea1afedec542b3f454dc6b02e86ef479d04a6ac (incl. in version 1.25.1)
- *disabling* threading (--disable-threading and --disable-slotevent)

Note that unless threading is disabled, OpenVPN will deadlock *even* when using the "management" interface, since the loading the PKCS#11 provider still happens during OpenVPN initialization (independently from the PIN prompt being offloaded to the management client):

  https://github.com/OpenSC/pkcs11-helper/issues/5 (alonbl's last comment before closing)

I can't find back the reference to a comment stating that OpenVPN might be the only user, nowadays, of the pkcs11-helper.
Based on my experience working with PKCS#11 along PAM, Kerberos, Firefox, Thunderbird and Chromium, I can tell only the OpenVPN package did pull the libpkcs11-helper-1 pakage as a dependency.
The change proposed here should thus not affect too broad an audience.

I know the culprit in all this seems to be OpenVPN but since this bug has been along for several years and nobody seems to be willing to address it,
would you consider those changes nonetheless ?

Thanks and best,


Cédric Dufour @ Idiap Research Institute

More information about the pkg-opensc-maint mailing list