Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic
misch at google.com
Tue Jun 14 02:48:31 PDT 2016
On Tue, Jun 14, 2016 at 11:26 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2016-06-14 at 11:01 +0200, Michael Schaller wrote:
>> Jouni, thank you for committing the patches.
>> David, Jouni, how about adding a log message that states that the
>> pkcs11 engine and module path usage is deprecated and that they should
>> switch to p11-kit URIs?
> Sure, as long as you get the criteria right.
> It's deprecated on Linux systems where p11-kit is present. That's
> fairly much *all* traditional Linux distributions and many embedded
> ones, but that still leaves a number of platforms where OpenSSL could
> be used.
> That's why I went as far as 'these options should not need to be used
> explicitly' in the sample wpa_supplicant.conf file, but no further.
I forgot about the other platforms, again. Sorry.
I guess an informational log message to suggest to use p11-kit instead
is too much noise and so I guess this is all that can be done at the
Thanks David for thinking this thoroughly through.
> I did almost submit a patch which rips out the support for the OpenSC
> engine — that one is lost *so* far in the mists of time that I couldn't
> even find a copy of its source, last time I looked. But it occurred to
> me that you could actually load *any* engine via opensc_engine_path,
> including the CAPI or OSX Keychain engines, and people might actually
> be doing so.
I couldn't find anything about OpenSC's OpenSSL engine
(engine_opensc.so) either and no supported Debian or Ubuntu release
has a package that would provide that file. I guess they've moved on
to pkcs11 + opensc module for good.
And now that you mention it... The OpenSC configuration could indeed
be used to use any OpenSSL engine. Deprecation is hard... :-/
>> FYI: I've opened a bug with Debian to include the patch in their
>> packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827253
> FWIW if we're chasing stuff up into distributions there's a whole bunch
> of work going on to support PKCS#11 a a 'first class citizen'. It would
> basically Just Work™ for 802.1x in NetworkManager already if NM would
> just pass the string through, instead of validating a 'pkcs11:...'
> string as if it's a pathname and bailing out because no file exists
> with that name: https://bugzilla.gnome.org/show_bug.cgi?id=719982
I hope that bug will be fixed for good one day. I'll forward the
information to my colleague Mike Gerow and maybe he can provide that
More information about the Hostap