Using gpgsm+scute with p11tool

Damien Goutte-Gattat dgouttegattat at
Tue Nov 9 23:07:26 CET 2021


On Mon, Nov 08, 2021 at 02:45:53PM +1000, Stuart Longland via Gnupg-users wrote:
>The HTTP request I need to perform is this one:
>I tried using Firefox, it can see the certificate presented by `scute`,
>but it seems Vault isn't designed to authenticate clients that way as
>best I can tell.

As long as the server allows certificate-based client authentication, it 
shouldn’t matter to the server that you are using Scute (or any other 
way to store your certificate) at your end.

However, usage of Scute + Firefox seems broken with TLS 1.3. In my case, 
it works perfectly fine if I force Firefox to use TLS 1.2 
(security.tls.version.max = 3 in about:config), but systematically fails 
when TLS 1.3 is enabled.

I am not sure about the root cause of the failure with TLS 1.3, or even 
if the root cause is in Scute itself or in Firefox.

Could you try temporarily disable TLS 1.3 and try again? If it works 
with TLS 1.2 only, this would suggest you are running into the same 
problem as me.

>If I try doing the same with `scute`, I get nothing:
>$ p11tool --provider=/usr/lib64/pkcs11/ --list-tokens
>Consequently, I have no idea what hardware token URI to supply to
>`curl` when authenticating.
>Is there some trick needed to get `scute` to tell me what tokens are
>present or how to find out what the URL of my private key is?

I would need to look at how is p11tool generating its output, but I 
suspect it may be using some PKCS#11 functions that Scute does not 
currently implement.

- Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list