Greetings, Erlang folks, hope this message finds you well!
I’m hoping to utilize an HSM (hardware security module) for private key storage and am curious whether openssl 3’s “provider” will be supported (to replace the deprecated “engine” usage) and if so, if there’s a targeted availability time frame.
thanks in advance!
ao
We are currently prototyping OpenSSL provider support. Hopefully some support will be included in OTP 27 next year.
Thanks,@sverker!
In the meantime, is there something I might inadvertently be doing incorrectly in attempting to make use of openssl 3 and engine? My attempts result in notsup errors.
For clarity:Erlang/OTP 26 [erts-14.1.1] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [jit:ns]
iex(1)> :crypto.ensure_engine_loaded("tpm2tss", "/usr/lib/x86_64-linux-gnu/engines-3/tpm2tss.so")
** (ErlangError) Erlang error: :notsup
crypto.erl:2194: :crypto.notsup_to_error/1
crypto.erl:2072: :crypto.ensure_engine_loaded/2
iex:1: (file)
iex(1)> System.cmd("openssl", ["engine", "tpm2tss"])
iex(2)> {"(tpm2tss) TPM2-TSS engine for OpenSSL\n", 0}
thanks again!
Engine was disabled for OpenSSL3.* as we had some problems getting it to work. Those problems are probably fixed now in OTP-26.1 by PR-7392 but the disabled engine was left behind.
I have enabled engine for OpenSSL 3 in PR-7763 and hopefully we can release it in OTP 26.2.
For anyone looking at this, I can confirm the pkcs11 openssl engine (libengine-pkcs11-openssl on Ubuntu flavored systems) works with openssl 3 from the current (2023-10-31) maint branch (which should ultimately generally land on OTP 26.2).
Thanks again, @sverker!! Please refer to his response, listed as solution, for PR details.
Tangentially related: I remember that we did some hacks in GRiSP in order to allow using the secure element with SSL.
More details in the README of grisp_crypotauth.
