Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1357521

Summary: EWS 2.1.1 DR4: openssl hardcoded engine search path to /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Michal Karm Babacek <mbabacek>
Component: opensslAssignee: Jean-frederic Clere <jclere>
Status: CLOSED WONTFIX QA Contact: Michal Karm Babacek <mbabacek>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 2.1.1CC: gzaronik, jclere, jonderka
Target Milestone: CR01   
Target Release: 2.1.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Using custom engine is feasible per the official upstream documentation noted here: https://www.openssl.org/docs/manmaster/apps/config.html Note that, in order to get your custom engine working you have to set it in the upper section of the openssl.cnf file before any other section. Nothing else needed then besides exporting the OPENSSL_CONF variable in order to make openssl use this configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:20:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Karm Babacek 2016-07-18 12:33:17 UTC 
Description of problem:

When I want to use my own OpenSSL engine, I cannot do that unless I copy the shared object to /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/.

I tried the following and failed:

 - configure engine dynamic_path in jboss-ews-2.1/httpd/sbin/conf/openssl/pki/tls/openssl.cnf and export OPENSSL_CONF

 - export PATH to the location of jboss-ews-2.1/httpd/lib/openssl/engines/
 
 - export LD_LIBRARY_PATH to jboss-ews-2.1/httpd/lib/openssl/engines/


Explicit invocation seems to work though:

> [hudson@rhel7GAx86-64 sbin]$ ./openssl engine -t dynamic -pre SO_PATH:/tmp/jboss-ews-2.1/httpd/lib/openssl/engines/libdummy.so -pre ID:dummy -pre LIST_ADD:1 -pre LOAD
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/tmp/jboss-ews-2.1/httpd/lib/openssl/engines/libdummy.so
> [Success]: ID:dummy
> [Success]: LIST_ADD:1
> [Success]: LOAD
> Loaded: (dummy) Dummy hardware engine support
> dummy_init: Refcount now 1
>      [ available ]
> dummy_finish: Refcount now 0

Except it doesn't persist:

> [hudson@rhel7GAx86-64 sbin]$ ./openssl engine dummy
> 140167400515488:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libdummy.so): /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libdummy.so: cannot open shared object file: No such file or directory
> 140167400515488:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
> 140167400515488:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
> 140167400515488:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:392:id=dummy


Only when I copy my libdummy.so to /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/ it starts to work:

> [hudson@rhel7GAx86-64 sbin]$ ./openssl engine dummy
> (dummy) Dummy hardware engine support

Questions:

 - is it work-around-able? could I make it work without copying anything to /opt/rh/?

 - what's the recommended way of configuring this for our customers; in other words, what should appear in the documentation?

 - how does one compiles one's own CryptoEngine without access to EWS 2.1.1 OpenSSL 1.0.2h headers? I had to download -devel- package from Brew, because EWS src zip does not contain necessary openssl files.
Comment 1 Jan Onderka 2016-08-05 11:02:53 UTC 
Blocker? requires_doc_text?
Comment 2 Jean-frederic Clere 2016-08-09 07:58:38 UTC 
Basically it should be possible to use openssl.cnf see https://www.openssl.org/docs/manmaster/apps/config.html to configure openssl to get a custom engine to work as excepted.
Comment 3 George Zaronikas 2016-08-10 08:19:15 UTC 
Using custom engine by setting the openssl.cnf is feasible. Tried it in my local box and it works. 

openssl.cnf configuration:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section

[engine_section]

dummy = dummy_section

[dummy_section]
engine_id = dummy
dynamic_path = /home/gzaronikas/Documents/github_gzaronikas/DummyCryptoDevice/lib/libdummy.so

Exporting OPENSSL_CONF and running openssl then gives me:

[gzaronikas@dhcp-10-40-5-148 httpd]$ OPENSSL_CONF=conf/openssl/pki/tls/openssl.cnf sbin/openssl engine dummy
dummy_init: Refcount now 1
(dummy) Dummy hardware engine support
dummy_finish: Refcount now 0

Note down that in order to get it working, I had to add the configuration on the upper side of openssl.cnf before any other section
Comment 4 Michal Karm Babacek 2016-08-10 08:34:57 UTC 
> Note down that in order to get it working, I had to add the
> configuration on the upper side of openssl.cnf before any other section

OMG :-) O.K.

Could it be figured out from the upstream documentation or we should add a note about it in the Release Notes?
Comment 5 George Zaronikas 2016-08-10 08:41:40 UTC 
Michal, to me is not clear at all from the upstream documentation. Definitely needs to be relnoted.