What were you trying to do that didn't work?

When pkcs11-provider is already configured in openssl config, libssh fails to read keys from the token. Notice that pkcs11-provider-0.5 adds drop-in configuration to openssl that activates the provider and hence once this version is installed libssh cannot get the objects from the token through pkcs11-provider.

Libssh is loading the provider explicitly (ie. without need to have it enabled beforehand by openssl). If the provider is not yet configured in openssl, libssh works fine but once you add it, it stops working. It seems as if libssh loads the provider multiple times without checking that it is already loaded.

What is the impact of this issue to you?

Unable to use sw/hw tokens for authentication in libssh with drop-in pkcs11-provider openssl config.

Please provide the package NVR for which the bug is seen:

pkcs11-provider-0.5-5.el10.x86_64
libssh-0.10.6-8.el10.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

1. Install pkcs11-provider >= 0.5 (make sure it is activated in /etc/pki/tls/openssl.d/pkcs11-provider.conf).
2. Execute e.g. torture_pki_rsa_uri from the libssh self-test.

Expected results

Test pass, pkcs11-provider log shows a single initialization (attached p11prov-debug.good.log).

Actual results

Test fails, pkcs11-provider log shows multiple initializations (attached p11prov-debug.bad.log).