Re: [PATCH 0/1] Load OpenSSL config if present in sign-file.c

From: David Woodhouse
Date: Fri Feb 03 2017 - 04:36:55 EST


On Fri, 2017-02-03 at 10:23 +0100, Antony Vennard wrote:
> On 03/02/17 10:07, David Woodhouse wrote:
> > You should[n't] need any of the special OpenSSL config horridness.

> Ah, I did not even know that was a thing. I do now. That looks like a
> much neater solution. Forget this patch then :)

As a general rule, this is true of *every* well-behaved application in
a Linux system.

If you have a PKCS#11 provider configured with a p11-kit .module file,
then it should automatically be usable just by providing a suitable
RFC7512 PKCS#11 URI in place of a filename.

If you find any application which can't do that on Fedora, file a bug
and Cc me. It's violating the packaging guidelines.

Other distributions may catch up in a decade or two (hey, I hear Debian
might even get coherent SSL trust settings by 2020...)

Attachment: smime.p7s
Description: S/MIME cryptographic signature