> Regarding the pkcs11-sign-provider: Did you upgrade it to the 1.0.1
release?
Yes, I was using 1.0.1 from noble:
openssl-pkcs11-sign-provider 1.0.1-0ubuntu1
And pkcs11-provider 0.3-1.
> Note: I would NOT recommend to use 'openssl -provider xxxx', but configure
> the provider in the OpenSSL
> config file
It's what I did. openssl list -providers works without further options,
indicating the system-wide openssl config file is loading the module:
$ openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.10
status: active
pkcs11sign
name: PKCS11 signing key provider
version: 1.0.1
status: active
I think apache is not even trying, or not able, to load the private key
from softhsm2. When I start it in the foreground with -X, it doesn't
prompt for the pin. And it doesn't change if I give the pin-value in the
pkcs11 URI or not. More investigation/testing is needed. This setup is
somewhat complex, involving multiple libraries from different source
packages, it's quite possible I did something wrong.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017
Title:
[FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache
httpd for openSSL 3.0 with PKCS #11 provider
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
