Can't enable GOST engine support in OpenSSL

2019-05-06 16:01发布

问题:

I'm trying to install SoftHSM as shown here, which requires OpenSSL. So I installed OpenSSL v1.0.2j, but it seems it doesn't have bundled GOST support, or at least I couldn't find libgost.so in /usr/lib/openssl/engines; so I took it from an older version of OpenSSL that I found (v1.0.0k-2.1.x86_64) and placed it in that folder.

Then, as suggested in multiple forums, I modified the file openssl.cnf (in /usr/local/ssl).

In the line after RANDFIL = $ENV::HOME/.rnd I added:

openssl_conf=openssl_def

And at the end of the file:

# OpenSSL default section
[openssl_def]
engines = engine_section

# Engine section
[engine_section]
gost = gost_section

# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/openssl/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

But still in the configure phase of SoftHSM installation it shows this error:

checking for OpenSSL GOST support... Cannot GOST engine
configure: error: OpenSSL library has no GOST support

Any help would be highly appreciated!

If I run this command: openssl ciphers|tr ':' '\n'|grep GOST, the output is: Error configuring OpenSSL

回答1:

OpenSSL 1.1.0 and later no longer include the GOST engine. From the changelog:

  *) The GOST engine was out of date and therefore it has been removed. An up
     to date GOST engine is now being maintained in an external repository.
     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
     support for GOST ciphersuites (these are only activated if a GOST engine
     is present).
     [Matt Caswell]

The version of the GOST engine that you copied from OpenSSL 1.0.0k is probably incompatible with OpenSSL 1.1.0. Get a newer one at the site mentioned in the changelog.