<html><head><meta http-equiv="Content-Type" content="text/html charset=koi8-r"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Shawn,<div><br></div><div>The point is none of the applications using the Keychain APIs reject certificates stored on the token or handle them improperly except for VPN client.</div><div><br></div><div>The first thing I'd like to know, does anybody have positive experience with using certificates stored on token in built-in VPN client on MacOSX 10.9.</div><div>If does, what tokend is used? Has anybody tried using PKCS11.tokend?</div><div><br></div><div>Moreover, I wonder why PKCS11.tokend is cut out of tokend installers.</div><div><br></div><div>By the way, rather long ago I've reported the issue with Apple Bug Reporter (ticket 15654874), it is still open and marked as a duplicate.</div><div><br></div><div>Best regards,</div><div>Eugene Mironenko</div><div><br><div><div>12.03.2014, в 19:39, Shawn Geddis <<a href="mailto:geddis@me.com">geddis@me.com</a>></div><div> написал(а):</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <<a href="mailto:mironenko@rutoken.ru">mironenko@rutoken.ru</a>> wrote:<br><div apple-content-edited="true">
<div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font face="Helvetica" style=""><span style="font-size: 12px;">- Shawn</span></font><span style="font-size: 12px; font-family: Helvetica; text-align: -webkit-auto;">_____________________________________________________________________</span></div></span></div></div></div></div></div></div></div></div>
</div>
<br><div><blockquote type="cite">Hello!<br><br>I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility. <br><br>Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?<br><br>Best regards,<br>Eugene Mironenko<br></blockquote><br></div><div>Eugene, </div><div><br></div><div>Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well.</div><div><br></div><div>Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there.</div><div><br></div><div>-Shawn</div><div style="orphans: 2; widows: 2; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font face="Helvetica"><span style="font-size: 12px;">_____________________________________________________________________<br>Shawn Geddis<span class="Apple-tab-span" style="white-space: pre;"> </span> <span class="Apple-tab-span" style="white-space: pre;"> </span> </span></font><font face="Helvetica"><span style="font-size: 12px;">geddis@{Mac | Me | iCloud}.com</span></font><font face="Helvetica"><span style="font-size: 12px;"><br>Enterprise Security Consulting Engineer, Apple <a href="mailto:geddis@apple.com">geddis@apple.com</a><br><br>Smart Card Services Project/Dev Lead: <br><span class="Apple-tab-span" style="white-space: pre;"> </span>Project Wiki:<span class="Apple-tab-span" style="white-space: pre;"> </span> [<a href="http://smartcardservices.macosfforge.org/">SmartCardServices.MacOSFforge.Org</a>]<br><span class="Apple-tab-span" style="white-space: pre;"> </span>Mailing Lists:<span class="Apple-tab-span" style="white-space: pre;"> </span> [<a href="http://lists.macosforge.org/mailman/listinfo">Lists.MacOSForge.Org/mailman/listinfo</a>]</span></font></div><div style="orphans: 2; widows: 2; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font face="Helvetica"><span style="font-size: 12px;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SCS Contact:<span class="Apple-tab-span" style="white-space: pre;"> </span> [<a href="mailto:scs-cotact@macosforge.org">scs-cotact@macosforge.org</a>]</span></font></div><div style="orphans: 2; widows: 2; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font face="Helvetica"><span style="font-size: 12px;"><span class="Apple-tab-span" style="white-space: pre;"> </span>SCS Admin:<span class="Apple-tab-span" style="white-space: pre;"> </span> [<a href="mailto:scs-admin@macosforge.org">scs-admin@macosforge.org</a>]</span></font></div><div><font face="Helvetica"><span style="font-size: 12px;"><br></span></font></div></div></blockquote></div><br></div></body></html>