Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic

David Woodhouse dwmw2 at infradead.org
Tue Jun 14 02:26:57 PDT 2016

On Tue, 2016-06-14 at 11:01 +0200, Michael Schaller wrote:
> Jouni, thank you for committing the patches.
> David, Jouni, how about adding a log message that states that the
> pkcs11 engine and module path usage is deprecated and that they should
> switch to p11-kit URIs?

Sure, as long as you get the criteria right.

It's deprecated on Linux systems where p11-kit is present. That's
fairly much *all* traditional Linux distributions and many embedded
ones, but that still leaves a number of platforms where OpenSSL could
be used.

That's why I went as far as 'these options should not need to be used
explicitly' in the sample wpa_supplicant.conf file, but no further.

I did almost submit a patch which rips out the support for the OpenSC
engine — that one is lost *so* far in the mists of time that I couldn't
even find a copy of its source, last time I looked. But it occurred to
me that you could actually load *any* engine via opensc_engine_path,
including the CAPI or OSX Keychain engines, and people might actually
be doing so.

> FYI: I've opened a bug with Debian to include the patch in their
> packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827253

FWIW if we're chasing stuff up into distributions there's a whole bunch
of work going on to support PKCS#11 a a 'first class citizen'. It would
basically Just Work™ for 802.1x in NetworkManager already if NM would
just pass the string through, instead of validating a 'pkcs11:...'
string as if it's a pathname and bailing out because no file exists
with that name: https://bugzilla.gnome.org/show_bug.cgi?id=719982

It *does* work for OpenConnect VPN if you configure a PKCS#11 URI
instead of a pathname, but you have to do that with nmcli because the
GUI for selecting objects from PKCS#11 doesn't exist... although *that*
is the subject of a GSoC project I'm mentoring this year, covered by

It works for OpenVPN too, as long as your distro has incorporated the
patches which enable URI support in pkcs11-helper:

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20160614/e76dcba6/attachment-0001.bin>

More information about the Hostap mailing list