I've added a warning to the KB article now. Thanks for reporting this.
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 4. 12. 2023, at 14:45, Gérard Parat via
Hi,
I'll follow your advice ans postpone the use of SoftHSM2 for the time being.
Anyway, thanks for your help!
Gérard
Le 04/12/2023 à 14:31, Ondřej Surý a écrit :
Hi,
the guide was written for OpenSSL 1.1.x and tested with that version
and the engines support in OpenSSL 3.x is deprecated,
Hi,
the guide was written for OpenSSL 1.1.x and tested with that version
and the engines support in OpenSSL 3.x is deprecated, so most probably
something got broken along the way.
Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).
There's a new provider for OpenSSL 3.x
Hi,
Weird behavior with /opt/bind9/etc/openssl.cnf.
The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path =
Hi,
Sorry for the typo (command is correct in strace file), here is the
unedited log:
$ dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l
"token=bind9;object=example.net-ksk" -f KSK example.net
dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
Gérard
Le 03/12/2023 à 19:06,
Hi,
I directly see missing semicolon in the failed command. Please provide full
unedited log, so we can be sure that the error was not made when redacting the
output.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd640.4.12-0.1
It works until reaching this command:
$ dnssec-keyfromlabel \
-E pkcs11 \
-a
7 matches
Mail list logo
