Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62421

OpenSSL does not know Ex=RSA in definition of engine

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • openssl
    • None
    • No
    • Low
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?
      OpenSSL s_server <> s_client with only TLS 1.2 cipher AES256-SHA256 (an Ex=RSA algorithm) fails to negotiate when setting up the PKCS#11 engine

      Please provide the package NVR for which bug is seen:
      openssl-3.0.7-28.el9_4.x86_64
      openssl-pkcs11-0.4.11-7.el9.x86_64

      Steps to reproduce
      1. create /etc/pki/tls/openssl-nginx.cnf with pkcs11 engine:

      openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
engines=engine_section
[provider_sect]
default = default_sect
[default_sect]
activate = 1
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/libpkcs11.so
init = 0

       

      2. generate test 2048 bit key and  selfsigned sha256WithRSAEncryption certificate:

       

      # openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/host.key -out /etc/pki/tls/certs/host.cert

       

       

      3. run openssl s_server on 1st terminal with the following parameters:

       

      # OPENSSL_CONF=/etc/pki/tls/openssl_nginx.cnf openssl s_server -accept localhost:3030 -key /etc/pki/tls/private/host.key -cert /etc/pki/tls/certs/host.cert -cipher AES256-SHA256

       

       

      4. test connection using AES256-SHA256 via openssl s_client from the 2nd terminal:

      # echo test | openssl s_client -connect localhost:3030 -tls1_2 -cipher AES256-SHA256

       

      Expected results:

      • on s_server side: 
        test
DONE
shutting down SSL
CONNECTION CLOSED

         

      • on a s_client side: 
        ...
DONE

         

      Actual results:

      • on s_server side:

       

      ERROR
809B87548B7F0000:error:02000090:rsa routines:pkey_rsa_ctrl:illegal or unsupported padding mode:crypto/rsa/rsa_pmeth.c:466:
809B87548B7F0000:error:03000093:digital envelope routines:evp_pkey_ctx_ctrl_int:command not supported:crypto/evp/pmeth_lib.c:1336:
809B87548B7F0000:error:0A000093:SSL routines:tls_process_cke_rsa:decryption failed:ssl/statem/statem_srvr.c:2911:
shutting down SSL
CONNECTION CLOSED 

       

      • on a s_client side: 
        ...
80CB99A7407F0000:error:0A00041B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1600:SSL alert number 51
...

         

       

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-dbodnarc Dmitri Bodnarciuc
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: