Bug 2005936

Summary: pkcs11: wpa_supplicant can't load shared library
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: NetworkManagerAssignee: NetworkManager Development Team <nm-team>
Status: CLOSED CANTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.9CC: bgalvani, ferferna, lrintel, rkhan, sukulkar, till
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-22 09:27:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2021-09-20 14:04:04 UTC 
Description of problem:
wpa_supplicant or openssl on el7 can't load PKCS#11 shared library

[probably not worth fixing but let's have it here for the record]


Version-Release number of selected component (if applicable):
NetworkManager-1.33.2-29238.copr.a8866095dd.el7.x86_64
wpa_supplicant-2.6-12.el7_9.2.x86_64
openssl-1.0.2k-21.el7_9.x86_64
softhsm-2.1.0-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
0. install softhsm, create nmci token with nmclient object with key and cert
1. get NetworkManager-ci, run 'sh prepare/hostapd.wired contrib/8021x/certs'
2. nmcli c add con-name con_pkcs11 type ethernet ifname test8X
3. nmcli c modify id con_pkcs11 autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient?pin-value=1234' 802-1x.private-key-password-flags 4
4. nmcli c up id con_pkcs11

Actual results:
wpa_supplicant log:
SSL: Initializing TLS engine
ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
EAP-TLS: Requesting private key passphrase  # <-- this is pointless, proper error should be reported back instead, see bug 2002572

Expected results:
wpa_supplicant uses the key and cert correctly

Additional info:
Comment 4 Fernando F. Mancera 2022-02-22 09:27:26 UTC 
pkcs11 is not supported in RHEL 7 and this is fixed on RHEL 8. Thanks!