David Woodhouse <dwmw2 at infradead.org> wrote: > This is a lot more feasible now than it used to be ? at least gnutls has > DTLS support now. You'd just need to add the hacks to make it compatible > with Cisco's bastardised version of the protocol. Hm, I asked because gnutls seems to have a clean native pkcs11 Interface with a unified key/cert adressing scheme. Using the sourcecode at http://www.gnu.org/software/gnutls/manual/html_node/Client-using-a-smart-card-with-TLS.html I have been able now to use my smartcard out of the box adding my proprietary pkcs11 library to the pool of available pkcs11 libraries. There is also a nice commandline utility "p11tool" which provides access to the keys stored on the pkcs11 provides (on the smartcard in my case). > Alternatively, use an OpenSSL "Engine". OpenConnect has worked with a > TPM from the very beginning, that way. The pkcs11 engine for openssl is provided by a third party and is unfortunately not very well documented and looks more or less unmaintaned to me. I have not yet been able to access the card properly using it. A p11tool equivalent does not seem to exist. At least I did not yet find one. In gnutls TPM access seems to be also possible using pkcs11. Sven -- TCP/IP: telecommunication protocol for imbibing pilsners (Man-page uubp(1C) on Debian/GNU Linux) /me is giggls at ircnet, http://sven.gegg.us/ on the Web
