Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-20249

OpenSSL 3.0: SSL ECDHE Kex fails when pkcs11 engine is set in config file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Minor Minor
    • rhel-9.4
    • rhel-9.3.0
    • openssl
    • openssl-3.0.7-26.el9
    • None
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 0.5
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • Crypto24Q1
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?
      When setting up the PKCS#11 engine in /etc/pki/tls/openssl.cnf GIT and CURL are displaying SSL errors for the target server supporting only a NIST curve based Key Exchange algorithm (e.g. ECDHE-RSA-AES256-GCM-SHA384)

      Please provide the package NVR for which bug is seen:
      openssl-3.0.7-24.el9.x86_64
      openssl-pkcs11-0.4.11-7.el9.x86_64

      Steps to reproduce
      1. add pkcs11 engine in /etc/pki/tls/openssl.cnf:
      -------------------------------------------------------------
      [openssl_init]
      providers = provider_sect
      ssl_conf = ssl_module
      engines = engine_sect

      [engine_sect]
      pkcs11 = pkcs11_section

      [pkcs11_section]
      engine_id = pkcs11
      dynamic_path = /usr/lib64/engines-3/libpkcs11.so
      MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so
      init = 0
      -------------------------------------------------------------

      2. test the connection to a remote server supporting only a NIST curve based Key Exchange algorithms:
      GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib

      1. curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/

      Expected results:
      connection ok

      Actual results:
      GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib

      CURL (partial output) : 

      1. curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/
        [...]
      • TLSv1.0 (OUT), TLS header, Certificate Status (22):
      • TLSv1.3 (OUT), TLS handshake, Client hello (1):
      • CONNECT phase completed!
      • CONNECT phase completed!
      • TLSv1.2 (IN), TLS header, Certificate Status (22):
      • TLSv1.3 (IN), TLS handshake, Server hello (2):
      • TLSv1.2 (IN), TLS header, Certificate Status (22):
      • TLSv1.2 (IN), TLS handshake, Certificate (11):
      • TLSv1.2 (IN), TLS header, Certificate Status (22):
      • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      • TLSv1.2 (OUT), TLS header, Unknown (21):
      • TLSv1.2 (OUT), TLS alert, internal error (592):
      • error:0A080006:SSL routines::EVP lib
      • Closing connection 0
        curl: (35) error:0A080006:SSL routines::EVP lib

      openssl s_client example output:

      1. openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect xxxxxxxxxxxxxxxx:443
        [...]
        verify return:1
        80CB2921637F0000:error:0A080006:SSL routines:ssl_generate_param_group:EVP lib:ssl/s3_lib.c:4748:
        80CB2921637F0000:error:0A00013A:SSL routines:tls_process_ske_ecdhe:unable to find ecdh parameters:ssl/statem/statem_clnt.c:2146:
        [...]

       

      Additional information:
      The concerning behaviour was discussed in the upstream (https://github.com/openssl/openssl/issues/20161) and then fixed with https://github.com/openssl/openssl/pull/20780
      Would it be possible to consider backporting of the upstream fix to RHEL9's openssl 3.0.7?

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-dbodnarc Dmitri Bodnarciuc
              Dmitry Belyavskiy Dmitry Belyavskiy
              Alicja Kario Alicja Kario
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: