Hello, Call OPENSSL_config(NULL) was need for loading GOST engine. It was need for applications which use PKCS#11 (opensc-pkcs11.so) with GOST algorithms and which don't use openssl directly (not call OPENSSL_config(NULL)).
Jan was right, he wrote more detailed: Jan Just Keijser wrote: > the problem is not in openssl land but in the way the GOST engine is > loaded by the pkcs11 software. The GOST engine requires a section in the > openssl.cnf file to load the appropriate shared library. and to load (if not defined OPENSSL_NO_STATIC_ENGINE) static engine. > The problem (with openssl) is , is that you cannot register an engine twice. So when > a program loads and parses an openssl.cnf file which contains engine > definitions then the second attempt to register that enginte will cause > a failure. > > I've built the GOST engine myself and did *NOT* specify an openssl.cnf > file : the gost engine still loads, but I am not sure if it is > functional. In this case GOST algorithms do not work. In this case command "openssl genpkey -engine gost -algorithm gost2001 -pkeyopt paramset:A" works. But application which use PKCS#11 (not called OPENSSL_config) doesn't work. > So the real question becomes: is this openssl.cnf section still necessary? Yes, it is. Andreas Jellinghaus wrote: > Am Samstag 17 April 2010 16:30:02 schrieb Martin Paljak: >> Compatibility with OpenSSL 1.0 is a good reason for a new release but I've >> not yet understood if it really is a problem with OpenSC or OpenSSL >> (reading up) > > as far as I understand the issue: > * the combination of openssl, gost engine and opensc has problems > * to work around that, the config loading in opensc was disabled > * that breaks normal openssl + engine_pkcs11 + opensc combination. > > so I think it is best to revert the hack for gost, so normal users > can again use opensc with openssl and engine_pkcs11. > > the problem with gost engine remains then, but I don't know it > well enough to say if the problem is in openssl, gost or > opensc. > > or maybe the problem is using openssl with two engines > (gost and engine_pkcs11) which both load opensc? not > sure if I understood this right. but if the situation is like > that, maybe the engines should be merged into one engine that > handles both rsa and gost encryption? > > I guess Aleksey can explain the situaiton best (added as cc:). > > Andreas > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
