Bug 1854369

Summary: curl cannot use the openssl engine like pkcs11
Product: Red Hat Enterprise Linux 8 Reporter: Masahiro Matsuya <mmatsuya>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Daniel Rusek <drusek>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: kdudka
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl-7.61.1-13.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:16:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Masahiro Matsuya 2020-07-07 10:06:35 UTC 
Description of problem:

curl cannot use the openssl engine.
Please include this upstream patch:
   https://github.com/curl/curl/commit/e2dd435d473cdc97785df95d032276fafb4b7746

HAVE_ENGINE_LOAD_BUILTIN_ENGINES macro isn't used any more, since it's replaced by USE_OPENSSL_ENGINE.
Just one macro is remaining and it caused a problem to load the openssl engines.


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8

How reproducible:
Always

Steps to Reproduce:

1. Setup openssl engines by changing /etc/pki/tls/openssl.cnf


@@ -29,6 +29,7 @@ openssl_conf = default_modules
 [ default_modules ]
 
 ssl_conf = ssl_module
+engines = engine_section
 
 [ ssl_module ]
 
@@ -366,3 +367,12 @@ ess_cert_id_chain	= no	# Must the ESS ce
 				# (optional, default: no)
 ess_cert_id_alg		= sha1	# algorithm to compute certificate
 				# identifier (optional, default: sha1)
+
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = /usr/lib64/engines-1.1/libpkcs11.so
+init = 0


2. run openssl command to confirm if the engine is configured.

# openssl engine -t
(rdrand) Intel RDRAND engine
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(pkcs11) pkcs11 engine
     [ available ]

 
3. run curl commands

# curl --engine list
Build-time engines:
  <none>

# curl --engine pkcs11 https://bugzilla.redhat.com
curl: (53) SSL Engine 'pkcs11' not found



Actual results:
curl cannot use the openssl engines.


Expected results:
curl can use the openssl engines.
Comment 8 errata-xmlrpc 2020-11-04 02:16:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: curl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4599