Bug 2005936 - pkcs11: wpa_supplicant can't load shared library
Summary: pkcs11: wpa_supplicant can't load shared library
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: NetworkManager Development Team
QA Contact: Desktop QE
Depends On:
TreeView+ depends on / blocked
Reported: 2021-09-20 14:04 UTC by David Jaša
Modified: 2021-09-20 14:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-97647 0 None None None 2021-09-20 14:04:47 UTC

Description David Jaša 2021-09-20 14:04:04 UTC
Description of problem:
wpa_supplicant or openssl on el7 can't load PKCS#11 shared library

[probably not worth fixing but let's have it here for the record]

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. install softhsm, create nmci token with nmclient object with key and cert
1. get NetworkManager-ci, run 'sh prepare/hostapd.wired contrib/8021x/certs'
2. nmcli c add con-name con_pkcs11 type ethernet ifname test8X
3. nmcli c modify id con_pkcs11 autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient?pin-value=1234' 802-1x.private-key-password-flags 4
4. nmcli c up id con_pkcs11

Actual results:
wpa_supplicant log:
SSL: Initializing TLS engine
ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
EAP-TLS: Requesting private key passphrase  # <-- this is pointless, proper error should be reported back instead, see bug 2002572

Expected results:
wpa_supplicant uses the key and cert correctly

Additional info:

Note You need to log in before you can comment on or make changes to this bug.