Re: engine_pkcs11 and openssl.cnf

Fri, 16 Apr 2010 12:35:08 -0700 

Dr. Stephen Henson wrote:

On Fri, Apr 16, 2010, Dimitrios Siganos wrote:
Now, I would like this engine to install automatically i.e. without having to run the engine command. I tried adding the following to openssl.cnf 

##########################
openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so
MODULE_PATH = opensc-pkcs11.so
init = 0
##########################

but it doesn't work properly. Here's what I get:
$ openssl engine -t
(dynamic) Dynamic engine loading support
    [ unavailable ]
(4758cca) IBM 4758 CCA hardware engine support
    [ unavailable ]
(aep) Aep hardware engine support
    [ unavailable ]
(atalla) Atalla hardware engine support
    [ unavailable ]
(cswift) CryptoSwift hardware engine support
    [ unavailable ]
(chil) CHIL hardware engine support
    [ unavailable ]
(nuron) Nuron hardware engine support
    [ unavailable ]
(sureware) SureWare hardware engine support
    [ unavailable ]
(ubsec) UBSEC hardware engine support
    [ unavailable ]
(padlock) VIA PadLock (no-RNG, no-ACE)
    [ unavailable ]
(gost) Reference implementation of GOST engine
    [ available ]
(pkcs11) pkcs11 engine
Auto configuration failed

1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init 
failed:eng_dyn.c:521:
1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine 
configuration error:eng_cnf.c:204:section=pkcs11_section, 
name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so
1116888:error:0E07606D:configuration file routines:MODULE_RUN:module 
initialization error:conf_mod.c:235:module=engines, value=engine_section, 
retcode=-1     
Can someone shed some light into this?
    


It's not obvious what the problem is from that. It looks like the PKCS#11
isn't initialising properly.

Try using the dynamic ENGINE in the config file with exactly the same commands
you used on the commmand line.

  

This seems to be a regression of some sort but not necessarily of 
openssl. I found this thread on a different mailing list that describes 
the problem in much more detail and there is an active discussion about 
possible fixes.

http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013953.html


I tried openssl 0.9.8k and that works fine for me, so I will stick with 
the older version for now.


Thank you for your time,
Dimitrios Siganos
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to