I currently do not have a more regular smartcard setup to test out a hardware pk11 engine with openssl, which is typically the most common one. But I can use software gost engine to test out that algos provided by the engine operate correctly.
Installed openssl from proposed, and gost engine. $ dpkg -l | grep -e 1.1.1f -e openssl ii libengine-gost-openssl1.1 1.1.0.3-1 amd64 Loadable module for openssl implementing GOST algorithms ii libssl1.1:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - shared libraries ii openssl 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - cryptographic utility Without engine configured, connectivity fails to GOST only website: # openssl s_client -connect tlsgost.cryptopro.ru:443 CONNECTED(00000003) 140163445085504:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941: Configured gost engine, and connect to GOST only website: # openssl s_client -connect tlsgost.cryptopro.ru:443 CONNECTED(00000003) depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth verify error:num=21:unable to verify the first certificate verify return:1 ... New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912 Server public key is 256 bit ... GET / ... <p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p> Connectivity using algos provided by a crypto engine worked. Note that certificate was not verified, as we don't currently ship GOST CA certificates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940656 Title: Potential use after free bugs in 1.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
