I've added a warning to the KB article now. Thanks for reporting this. -- Ondřej Surý (He/Him) ond...@isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 4. 12. 2023, at 14:45, Gérard Parat via bind-users > <bind-users@lists.isc.org> wrote: > > Hi, > > I'll follow your advice ans postpone the use of SoftHSM2 for the time being. > > Anyway, thanks for your help! > > Gérard > > Le 04/12/2023 à 14:31, Ondřej Surý a écrit : >> Hi, >> >> the guide was written for OpenSSL 1.1.x and tested with that version >> and the engines support in OpenSSL 3.x is deprecated, so most probably >> something got broken along the way. >> >> Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal). >> >> There's a new provider for OpenSSL 3.x here: >> https://github.com/latchset/pkcs11-provider >> >> The catch is that OpenSSL Provider can't really be used with SoftHSM 2, >> because that SoftHSM2 is itself broken when used with providers: >> https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124 >> >> You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so >> <http://libsoftokn3.so/> from libnss3 as PKCS#11 library >> instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I >> would >> suggest to simply avoid it until the dust settles. >> >> Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the >> user under named >> runs has to have access to the private key data anyway. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> ond...@isc.org >> >> My working hours and your working hours may be different. Please do not feel >> obligated to reply outside your normal working hours. >> >>> On 4. 12. 2023, at 0:43, Gérard Parat via bind-users >>> <bind-users@lists.isc.org> wrote: >>> >>> Hi, >>> >>> Weird behavior with /opt/bind9/etc/openssl.cnf. >>> >>> The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine: >>> >>> [openssl_init] >>> >>> engines=engine_section >>> >>> [engine_section] >>> >>> pkcs11 = pkcs11_section >>> >>> [pkcs11_section] >>> >>> engine_id = pkcs11 >>> >>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so >>> >>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so >>> >>> init = 0 >>> >>> For example, dig is not working with environment variable OPENSSL_CONF: >>> >>> $ dig www.internet.nl +short >>> 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure) >>> 04-Dec-2023 00:39:24.280 error:03000096:digital envelope >>> routines::operation not supported for this >>> keytype:../crypto/evp/pmeth_gn.c:354: >>> dig: dst_lib_init: crypto failure >>> >>> It works if OPENSSL_CONF is undefined: >>> >>> $ OPENSSL_CONF= dig www.internet.nl +short >>> proloprod.internet.nl. >>> 62.204.66.10 >>> >>> Issue seems wider than only relative to dnssec-keyfromlabel. >>> >>> Gérard >>> >>> Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit : >>>> Hi, >>>> >>>> I used this tutorial as reference to setup DNSSEC with SoftHSM2: >>>> https://kb.isc.org/docs/bind-9-pkcs11 >>>> >>>> I installed the Debian package instead of building libp11: >>>> libengine-pkcs11-openssl:amd64 0.4.12-0.1 >>>> >>>> It works until reaching this command: >>>> $ dnssec-keyfromlabel \ >>>> -E pkcs11 \ >>>> -a RSASHA256 \ >>>> -l "token=bind9object=example.net-ksk" \ >>>> -f KSK example.net >>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure >>>> >>>> Trying directly from OpenSSL works: >>>> $ openssl pkey \ >>>> -in "pkcs11:token=bind9;object=example.net-ksk" \ >>>> -inform ENGINE \ >>>> -engine pkcs11 \ >>>> -text \ >>>> -pubin >>>> Engine "pkcs11" set. >>>> -----BEGIN PUBLIC KEY----- >>>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J >>>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5 >>>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d >>>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB >>>> AAE= >>>> -----END PUBLIC KEY----- >>>> RSA Public-Key: (1280 bit) >>>> Modulus: >>>> 00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca: >>>> 05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c: >>>> 90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14: >>>> 10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22: >>>> e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26: >>>> ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07: >>>> d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf: >>>> 6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c: >>>> 9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04: >>>> 0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95: >>>> 80:35:d5:11:b5:44:6a:ec:45:22:67 >>>> Exponent: 65537 (0x10001) >>>> >>>> Debian 12 (bookworm) use OpenSSL version 3: >>>> libssl3:amd64 3.0.11-1~deb12u2 >>>> openssl 3.0.11-1~deb12u2 >>>> >>>> Installed BIND9 packages: >>>> bind9 1:9.18.19-1~deb12u1 >>>> bind9-utils 1:9.18.19-1~deb12u1 >>>> bind9-dnsutils 1:9.18.19-1~deb12u1 >>>> bind9-doc 1:9.18.19-1~deb12u1 >>>> bind9-libs:amd64 1:9.18.19-1~deb12u1 >>>> bind9-host 1:9.18.19-1~deb12u1 >>>> >>>> $ dnssec-keyfromlabel -V >>>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian >>>> >>>> [pkcs11_section] >>>> engine_id = pkcs11 >>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so >>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so >>>> init = 0 >>>> >>>> strace file: >>>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656 >>>> fuZR3ArX >>>> >>>> It seems to be an API problem or maybe I missed something ? >>>> >>>> Gérard >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
