-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error #396
Comments
Is the pkcs11 DLL provided by your HSM vendor? Are you willing to share what vendor that is? There's no flag for this, but I wonder if it has to do with RSA-PSS in TLS1.3. Do you know if the server you're connecting to supports TLS1.3? If you've got any Go experience, can you try adding a MaxVersion: tls.TlsVersionTLS12 around here: https://github.com/ghostunnel/ghostunnel/blob/master/tls.go#L115 and see if that works? Otherwise we might have to add a bit of debugging to log what parameters it's unhappy with. |
Hi,
I got some success, and definitively TLS1.3 is blocking, due to my HSM/pkcs11 DLL functions. |
I'm going to keep this open as a bug, as it would be reasonable to support these tokens but limited to TLS 1.2, or at least produce a better error message |
Hi, first of all, congrats to committers, Ghostunnel is a very nice piece of software !
I had, very different and very explicit error messages until I found out the correct pkcs11 parameters (certificate, token label, etc...),
But I'm still facing issues trying to handle mTLS Client tunnel, based on HSM & PKCS11 token.
My HSM token, seems to effectively provide signing for CKM_SHA256_RSA_PKCS or CKM_RSA_PKCS (just in case you were wondering...)
Any idea ?
Thanks in advance.
The text was updated successfully, but these errors were encountered: