Doug, thanks, I got it working now. Turns out it was the -t I was throwing to the openssl engine command... I don't know where I saw that or what it even does, but if I don't use it there's no segfault and the connection succeeds! Now to figure out what's different in the TLS/SSL libraries that both Chromium and Firefox fail...
engine -vvvv dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -state -cert cert.01.pem -key 1:01 -keyform engine On Thu, Dec 20, 2012 at 10:58 AM, Douglas E. Engert <deeng...@anl.gov> wrote: > The OpenSC engine can pull the cert from the card, but it looks like > the OpenSSL c_client does not support using an engine for the cert. > It calls load_cert. Look at the load_cert (vs the load_key) routines > in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE. Good to know as I kept thinking that it was where/how openssl was getting the cert that was the issue. > For the -key parameter, I have always used slot_1-id_01 for the auth cert. > I had not looked to see if 1:01 works too. I found that 1:01 works too! Matt _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel