Bug 2005832

Summary: PKCS11 backend not available after OpenSSL 3 rebuild
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: openssl-pkcs11Assignee: Jakub Jelen <jjelen>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: ansasaki, crypto-team, jjelen
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-pkcs11-0.4.11-6.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-21 13:55:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2005795    

Description Petr Menšík 2021-09-20 10:01:51 UTC 
Description of problem:
openssl-pkcs11-0.4.11-5.fc36 failed to rebuild during side-tag 

Version-Release number of selected component (if applicable):
openssl-pkcs11-0.4.11-4.fc35.x86_64
openssl-3.0.0-1.fc36.x86_64


How reproducible:
always

Steps to Reproduce:
1. dnf install openssl-pkcs11
2. openssl engine -vv pkcs11

Actual results:
00AC0538E57F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-3/pkcs11.so): /usr/lib64/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
00AC0538E57F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
00AC0538E57F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:422:
00AC0538E57F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:343:id=pkcs11


Expected results:
No error

Additional info:
Because PKCS11 is used by bind, it blocks new build of bind (bug #2005795) and freeipa. It is not able to even start, because it uses PKCS11 for compatibility with opendnssec. But it cannot initialize openssl 1.1 module from openssl 3.0 build.
Comment 1 Jakub Jelen 2021-09-21 06:44:06 UTC 
The openssl-pkcs11 has hardcoded path to the engines directory. Let me fix that similar way as in c9s, which has this change for some time already.
Comment 2 Jakub Jelen 2021-09-21 06:50:42 UTC 
Built in koji:

https://koji.fedoraproject.org/koji/taskinfo?taskID=76046231

Let me know if it works fine for you.
Comment 3 Petr Menšík 2021-09-21 13:55:42 UTC 
Sure, thank you, it is much better. Not yet in repository, but it works with downloaded packages from koji.