Re: Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2016-06-14 at 11:01 +0200, Michael Schaller wrote:
> Jouni, thank you for committing the patches.
> David, Jouni, how about adding a log message that states that the
> pkcs11 engine and module path usage is deprecated and that they should
> switch to p11-kit URIs?

Sure, as long as you get the criteria right.

It's deprecated on Linux systems where p11-kit is present. That's
fairly much *all* traditional Linux distributions and many embedded
ones, but that still leaves a number of platforms where OpenSSL could
be used.

That's why I went as far as 'these options should not need to be used
explicitly' in the sample wpa_supplicant.conf file, but no further.

I did almost submit a patch which rips out the support for the OpenSC
engine — that one is lost *so* far in the mists of time that I couldn't
even find a copy of its source, last time I looked. But it occurred to
me that you could actually load *any* engine via opensc_engine_path,
including the CAPI or OSX Keychain engines, and people might actually
be doing so.

> FYI: I've opened a bug with Debian to include the patch in their
> packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827253

FWIW if we're chasing stuff up into distributions there's a whole bunch
of work going on to support PKCS#11 a a 'first class citizen'. It would
basically Just Work™ for 802.1x in NetworkManager already if NM would
just pass the string through, instead of validating a 'pkcs11:...'
string as if it's a pathname and bailing out because no file exists
with that name: https://bugzilla.gnome.org/show_bug.cgi?id=719982

It *does* work for OpenConnect VPN if you configure a PKCS#11 URI
instead of a pathname, but you have to do that with nmcli because the
GUI for selecting objects from PKCS#11 doesn't exist... although *that*
is the subject of a GSoC project I'm mentoring this year, covered by
https://bugzilla.gnome.org/show_bug.cgi?id=679860

It works for OpenVPN too, as long as your distro has incorporated the
patches which enable URI support in pkcs11-helper:
https://github.com/OpenSC/pkcs11-helper/pull/4

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@xxxxxxxxx                              Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux