The OpenConnect CI uses Fedora to build against both GnuTLS and OpenSSL: http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/.gitlab-ci.yml Builds have started failing, because pkgconfig(libp11) can no longer be found. It looks like we dropped the -devel package at around the time we renamed from libp11 to openssl-pkcs11. Why? Applications which really want to get things right do actually need to use libp11 directly and not the engine. (Or not use OpenSSL at all, of course).
Hi David, we removed libp11 as a library to link with from fedora because there were no dependencies using it. It has quite some issues as a library and it is not sure whether openssl upstream will end up with something similar for PKCS#11 support, so we thought it would be better for the long run to only bring the engine_pkcs11 (now openssl-pkcs11).
OpenSSL upstream will probably end up with a STORE loader which does PKCS#11. But in the meantime, libp11 is the best approach for applications that really care about getting stuff right. There are things you just can't do with the engine — like finding a key to match your cert, etc. It doesn't have *that* many issues as a library, and we're *shipping* it anyway since it's the basis for the ENGINE. Please could we have it back?
Anderson what do you think, could we re-include the libp11-devel package in Fedora?
Yes, we can.
openssl-pkcs11-0.4.7-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5d7b77cf
openssl-pkcs11-0.4.7-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5d7b77cf
openssl-pkcs11-0.4.7-7.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.