Issue
What were you trying to do that didn't work?
When setting up the PKCS#11 engine in /etc/pki/tls/openssl.cnf GIT and CURL are displaying SSL errors for the target server supporting only a NIST curve based Key Exchange algorithm (e.g. ECDHE-RSA-AES256-GCM-SHA384)
Please provide the package NVR for which bug is seen:
openssl-3.0.7-24.el9.x86_64
openssl-pkcs11-0.4.11-7.el9.x86_64
Steps to reproduce
1. add pkcs11 engine in /etc/pki/tls/openssl.cnf:
-------------------------------------------------------------
[openssl_init]
providers = provider_sect
ssl_conf = ssl_module
engines = engine_sect
[engine_sect]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so
init = 0
-------------------------------------------------------------
2. test the connection to a remote server supporting only a NIST curve based Key Exchange algorithms:
GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib
curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/
Expected results:
connection ok
Actual results:
GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib
CURL (partial output) :
curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/
[...]
TLSv1.0 (OUT), TLS header, Certificate Status (22):
TLSv1.3 (OUT), TLS handshake, Client hello (1):
CONNECT phase completed!
CONNECT phase completed!
TLSv1.2 (IN), TLS header, Certificate Status (22):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS header, Certificate Status (22):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS header, Certificate Status (22):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (OUT), TLS header, Unknown (21):
TLSv1.2 (OUT), TLS alert, internal error (592):
error:0A080006:SSL routines::EVP lib
Closing connection 0
curl: (35) error:0A080006:SSL routines::EVP lib
openssl s_client example output:
openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect xxxxxxxxxxxxxxxx:443
[...]
verify return:1
80CB2921637F0000:error:0A080006:SSL routines:ssl_generate_param_group:EVP lib:ssl/s3_lib.c:4748:
80CB2921637F0000:error:0A00013A:SSL routines:tls_process_ske_ecdhe:unable to find ecdh parameters:ssl/statem/statem_clnt.c:2146:
[...]
Additional information:
The concerning behaviour was discussed in the upstream (https://github.com/openssl/openssl/issues/20161) and then fixed with https://github.com/openssl/openssl/pull/20780
Would it be possible to consider backporting of the upstream fix to RHEL9's openssl 3.0.7?
