Hi, I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5 box. Following the documentation (arm97, starting from page 27) I download the openssl source (0.9.8l), apply the patch provided with BIND (bin/pkcs11/openssl-0.9.8l-patch), no errors during the "configure" and "make" phase but I finish with openssl that does not supports pkcs#11. I tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success. Here is my configure line:
./Configure linux-generic32 -m32 -pthread --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so --pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr /opt/pkcs11/usr/lib/libpkcs11.so is the pkcs#11 provider shipped with SCA6000 (actually copy of the original /opt/sun/sca6000/lib/libpkcs11_sca.so). Here is the error I get checking for pkcs#11 support: /opt/pkcs11/usr/bin/openssl engine pkcs11 27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/opt/pkcs11/usr/lib/engines/libpkcs11.so): /opt/pkcs11/usr/lib/engines/libpkcs11.so: cannot open shared object file: No such file or directory 27876:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 27876:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:419:id=pkcs11 /opt/pkcs11/usr/lib/engines/libpkcs11.so should be the pkcs#11 engine if I understand this correctly, but it is not created. I checked all components are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in README.pkcs11. If I go further and build BIND as described in ARM when I try to create keys using the pkcs11-keygen tool I get: /chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk C_Initialize: Error = 0x000000FF Someone got this working? The output of the configure command is attached. Thanks. ena
configure_output.txt.gz
Description: GNU Zip compressed data
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users