On Tue, Jun 14, 2016 at 11:26 AM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > On Tue, 2016-06-14 at 11:01 +0200, Michael Schaller wrote: >> Jouni, thank you for committing the patches. >> David, Jouni, how about adding a log message that states that the >> pkcs11 engine and module path usage is deprecated and that they should >> switch to p11-kit URIs? > > Sure, as long as you get the criteria right. > > It's deprecated on Linux systems where p11-kit is present. That's > fairly much *all* traditional Linux distributions and many embedded > ones, but that still leaves a number of platforms where OpenSSL could > be used. > > That's why I went as far as 'these options should not need to be used > explicitly' in the sample wpa_supplicant.conf file, but no further. > I forgot about the other platforms, again. Sorry. I guess an informational log message to suggest to use p11-kit instead is too much noise and so I guess this is all that can be done at the moment. Thanks David for thinking this thoroughly through. > I did almost submit a patch which rips out the support for the OpenSC > engine — that one is lost *so* far in the mists of time that I couldn't > even find a copy of its source, last time I looked. But it occurred to > me that you could actually load *any* engine via opensc_engine_path, > including the CAPI or OSX Keychain engines, and people might actually > be doing so. > I couldn't find anything about OpenSC's OpenSSL engine (engine_opensc.so) either and no supported Debian or Ubuntu release has a package that would provide that file. I guess they've moved on to pkcs11 + opensc module for good. And now that you mention it... The OpenSC configuration could indeed be used to use any OpenSSL engine. Deprecation is hard... :-/ >> FYI: I've opened a bug with Debian to include the patch in their >> packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827253 > > FWIW if we're chasing stuff up into distributions there's a whole bunch > of work going on to support PKCS#11 a a 'first class citizen'. It would > basically Just Work™ for 802.1x in NetworkManager already if NM would > just pass the string through, instead of validating a 'pkcs11:...' > string as if it's a pathname and bailing out because no file exists > with that name: https://bugzilla.gnome.org/show_bug.cgi?id=719982 > I hope that bug will be fixed for good one day. I'll forward the information to my colleague Mike Gerow and maybe he can provide that missing patch... _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
