Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic
Michael Schaller
misch at google.com
Tue Jun 14 02:48:31 PDT 2016
On Tue, Jun 14, 2016 at 11:26 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2016-06-14 at 11:01 +0200, Michael Schaller wrote:
>> Jouni, thank you for committing the patches.
>> David, Jouni, how about adding a log message that states that the
>> pkcs11 engine and module path usage is deprecated and that they should
>> switch to p11-kit URIs?
>
> Sure, as long as you get the criteria right.
>
> It's deprecated on Linux systems where p11-kit is present. That's
> fairly much *all* traditional Linux distributions and many embedded
> ones, but that still leaves a number of platforms where OpenSSL could
> be used.
>
> That's why I went as far as 'these options should not need to be used
> explicitly' in the sample wpa_supplicant.conf file, but no further.
>
I forgot about the other platforms, again. Sorry.
I guess an informational log message to suggest to use p11-kit instead
is too much noise and so I guess this is all that can be done at the
moment.
Thanks David for thinking this thoroughly through.
> I did almost submit a patch which rips out the support for the OpenSC
> engine — that one is lost *so* far in the mists of time that I couldn't
> even find a copy of its source, last time I looked. But it occurred to
> me that you could actually load *any* engine via opensc_engine_path,
> including the CAPI or OSX Keychain engines, and people might actually
> be doing so.
>
I couldn't find anything about OpenSC's OpenSSL engine
(engine_opensc.so) either and no supported Debian or Ubuntu release
has a package that would provide that file. I guess they've moved on
to pkcs11 + opensc module for good.
And now that you mention it... The OpenSC configuration could indeed
be used to use any OpenSSL engine. Deprecation is hard... :-/
>> FYI: I've opened a bug with Debian to include the patch in their
>> packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827253
>
> FWIW if we're chasing stuff up into distributions there's a whole bunch
> of work going on to support PKCS#11 a a 'first class citizen'. It would
> basically Just Work™ for 802.1x in NetworkManager already if NM would
> just pass the string through, instead of validating a 'pkcs11:...'
> string as if it's a pathname and bailing out because no file exists
> with that name: https://bugzilla.gnome.org/show_bug.cgi?id=719982
>
I hope that bug will be fixed for good one day. I'll forward the
information to my colleague Mike Gerow and maybe he can provide that
missing patch...
More information about the Hostap
mailing list