9

I'm trying to install SoftHSM as shown here, which requires OpenSSL. So I installed OpenSSL v1.0.2j, but it seems it doesn't have bundled GOST support, or at least I couldn't find libgost.so in /usr/lib/openssl/engines; so I took it from an older version of OpenSSL that I found (v1.0.0k-2.1.x86_64) and placed it in that folder.

Then, as suggested in multiple forums, I modified the file openssl.cnf (in /usr/local/ssl).

In the line after RANDFIL = $ENV::HOME/.rnd I added: 

openssl_conf=openssl_def

And at the end of the file:

# OpenSSL default section
[openssl_def]
engines = engine_section

# Engine section
[engine_section]
gost = gost_section

# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/openssl/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

But still in the configure phase of SoftHSM installation it shows this error:

checking for OpenSSL GOST support... Cannot GOST engine
configure: error: OpenSSL library has no GOST support

Any help would be highly appreciated!

If I run this command: openssl ciphers|tr ':' '\n'|grep GOST, the output is: Error configuring OpenSSL

myrmix
  • 371
  • 3
  • 11
  • 25

2 Answers2

8

OpenSSL 1.1.0 and later no longer include the GOST engine. From the changelog:

  *) The GOST engine was out of date and therefore it has been removed. An up
     to date GOST engine is now being maintained in an external repository.
     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
     support for GOST ciphersuites (these are only activated if a GOST engine
     is present).
     [Matt Caswell]

The version of the GOST engine that you copied from OpenSSL 1.0.0k is probably incompatible with OpenSSL 1.1.0. Get a newer one at the site mentioned in the changelog.

  • Thanks, I was able to add the engine GOST correctly with the instructions in the [wiki of the repo](https://github.com/gost-engine/engine/wiki), because when I execute the command `openssl ciphers|tr ':' '\n'|grep GOST` in the terminal, it shows `GOST2001-GOST89-GOST89 GOST94-GOST89-GOST89`. But anyway, SoftHSM wouldn't recognize it and keeps showing the same error in the ./configure. I guess it's a SoftHSM problem. – myrmix Oct 13 '16 at 18:32
  • 9
    I was able to circumvent this issue with `./configure --disable-gost` – sce Jan 21 '17 at 11:35
6

The same occurred to me and I was able to solve it, disabling GOST for the installation

Download

wget https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz
tar -xzf softhsm-2.3.0.tar.gz
cd softhsm-2.3.0

Disable GOST

./configure --disable-gost

Instalation

sudo make install
Ronald Coarite
  • 4,460
  • 27
  • 31