Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-33742

Please stop using OpenSSL ENGINE API in nginx

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • nginx
    • None
    • sst_cs_infra_services
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Known Issue
    • Hide
      .Nginx does not support PKCS #11 and TPM

      The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.
      Show
      .Nginx does not support PKCS #11 and TPM The OpenSSL engines API was deprecated in RHEL 9 and removed from Nginx in RHEL 10. The corresponding functionality using the current OpenSSL providers API is not yet available. As a consequence, the Nginx HTTP server does not work with hardware security modules (HSMs) through PKCS #11 and Trusted Platform Module (TPM) devices.
    • Done
    • All
    • None

      Dear colleagues,

      Our scanning identified your component as one of the packages using OpenSSL ENGINE API.

      Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers maintained by Crypto Team now or will be covered soon.

      We kindly ask you to implement patches or apply compiling options to eliminate the code relying on ENGINE API. Even if we don’t eliminate the ENGINE API completely for backward binary compatibility, the compilation of applications using the ENGINE API will soon become impossible.

      We kindly ask you to add this work to the nearest sprint. We have a side-tag f41-build-side-86419 to build and a Copr build https://copr.fedorainfracloud.org/coprs/dbelyavs/openssl-no-engine/build/7107098/

      Feel free to reach the Crypto team, Dmitry Belyavskiy, Sahana Prasad, or Clemens Lang directly if you have any problems with the necessary changes.

              luhliari@redhat.com Lubos Uhliarik
              autobot-jira-api pme bot
              Lubos Uhliarik Lubos Uhliarik
              Iveta Cesalova Iveta Cesalova
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: