Configuring an engine in custom openssl.cnf

Martin Bonner Martin.Bonner at entrust.com
Fri Oct 20 10:26:40 UTC 2023


Back to my question about interactive mode having gone away in 3.0

The actual usage was a test script which is run when building our engine to
check it is loadable (before everything is installed).  The script was:
     engine dynamic -pre SO_PATH:libs/nfkm.so -pre ID:nfkm -pre LIST_ADD:1 -pre LOAD
     engine -t nfkm

Well, running the first line from the command line works well enough:
     $ external/OpenSSL3.0/bin/openssl engine dynamic -pre SO_PATH:libs/nfkm.so -pre ID:nfkm -pre LIST_ADD:1 -pre LOAD
     (dynamic) Dynamic engine loading support
     [Success]: SO_PATH:libs/nfkm.so
     [Success]: ID:nfkm
     [Success]: LIST_ADD:1
     [Success]: LOAD
     Loaded: (nfkm) nShield NFKM engine

But running the second line (not surprisingly) fails:
     # external/OpenSSL3.0/bin/openssl engine -t nfkm
     40971265517F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/opt/nfast/openssl/lib64/engines-3/nfkm.so): /opt/nfast/openssl/lib64/engines-3/nfkm.so: cannot open shared object file: No such file or directory
     40971265517F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
     40971265517F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:442:
     40971265517F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:430:id=nfkm

That's rather expected - the engine is not at anything like the right place
yet (openssl was looking in /opt/nfast/openssl/lib64/engines-3/nfkm.so).

If I append the "-t nfkm" to the end of the first line it fails in a rather
different way as follows (but I'm not sure if that is supposed to work or not):
     $ external/OpenSSL3.0/bin/openssl engine dynamic -pre SO_PATH:libs/nfkm.so -pre ID:nfkm -pre LIST_ADD:1 -pre LOAD -t nfkm
     (dynamic) Dynamic engine loading support
     [Success]: SO_PATH:libs/nfkm.so
     [Success]: ID:nfkm
     [Success]: LIST_ADD:1
     [Success]: LOAD
     Loaded: (nfkm) nShield NFKM engine
          [ unavailable ]
     (nfkm) nShield NFKM engine
     [Failure]: SO_PATH:libs/nfkm.so
     4097B897FE7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:258:
     [Failure]: ID:nfkm
     4097B897FE7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:258:
     [Failure]: LIST_ADD:1
     4097B897FE7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:258:
     [Failure]: LOAD
     4097B897FE7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:258:
          [ unavailable ]

What I had hoped would work, is a very simple openssl.cnf - but that doesn't
seem to work either:
     $ cat openssl.cnf
     [ engines ]
     nfkm = nfkm_engine

     [ nfkm_engine ]
     dynamic_path = /home/mbonner/git/main/build-host-linux/libs/nfkm.so

     $ OPENSSL_CONF=openssl.cnf external/OpenSSL3.0/bin/openssl engine -t nfkm
     40E77A2C157F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/opt/nfast/openssl/lib64/engines-3/nfkm.so): /opt/nfast/openssl/lib64/engines-3/nfkm.so: cannot open shared object file: No such file or directory
     40E77A2C157F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
     40E77A2C157F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:442:
     40E77A2C157F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:430:id=nfkm
     $

... and I get a very similar failure for nfkm_engine.

It feels like I _ought_ to be able to get this to work, but I am missing
something.  Any suggestions gratefully received.

--
Martin Bonner (he/him)
Phone: +49 151 5046 3855
martin.bonner at entrust.com


Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.


More information about the openssl-users mailing list