openssl pkcs#11 engine patch

Emil Natan shlyoko at
Mon Feb 7 15:59:15 UTC 2011


I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5
box. Following the documentation (arm97, starting from page 27) I download
the openssl source (0.9.8l), apply the patch provided with BIND
(bin/pkcs11/openssl-0.9.8l-patch), no errors during the "configure" and
"make" phase but I finish with openssl that does not supports pkcs#11. I
tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success.
Here is my configure line:

./Configure linux-generic32 -m32 -pthread
--pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr

/opt/pkcs11/usr/lib/ is the pkcs#11 provider shipped with
SCA6000 (actually copy of the original
Here is the error I get checking for pkcs#11 support:

/opt/pkcs11/usr/bin/openssl engine pkcs11
27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
/opt/pkcs11/usr/lib/engines/ cannot open shared object file: No
such file or directory
27876:error:25070067:DSO support routines:DSO_load:could not load the shared
27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
27876:error:2606A074:engine routines:ENGINE_by_id:no such

/opt/pkcs11/usr/lib/engines/ should be the pkcs#11 engine if I
understand this correctly, but it is not created. I checked all components
are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in

If I go further and build BIND as described in ARM when I try to create keys
using the pkcs11-keygen tool I get:

/chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk
C_Initialize: Error = 0x000000FF

Someone got this working?

The output of the configure command is attached.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: configure_output.txt.gz
Type: application/x-gzip
Size: 2480 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list