Hi, sorry, this is more a question than an issue (for now). I am trying to get the latest version v23 built with Debian and its latest pkcs11 Dracut pin patches. That lead me to actually trying to verify if the pkcs11 pin has a chance to work (at least theoretically for me).
There was one bigger change in Debian over time for the versions I build - switch from OpenSSL v1 to v3 and addition of legacy.so. It turns out the loading of legacy.so is disabled by default in OpenSSL v3 and you need a special configuration to make it working (i.e. openssl.cnf). I do not see the configuration being created, so the actual question is whether legacy.so is really loaded. Experiments with Claude confirmed that it is not loaded and is disabled-by-default (also confirmed by OpenSSL migration guide) - both Debian and Fedora.
It is this line:
|
/usr/lib64/ossl-modules/legacy.so \ |
In other words, I think it is useless and can be removed.
Hi, sorry, this is more a question than an issue (for now). I am trying to get the latest version v23 built with Debian and its latest pkcs11 Dracut pin patches. That lead me to actually trying to verify if the pkcs11 pin has a chance to work (at least theoretically for me).
There was one bigger change in Debian over time for the versions I build - switch from OpenSSL v1 to v3 and addition of
legacy.so. It turns out the loading oflegacy.sois disabled by default in OpenSSL v3 and you need a special configuration to make it working (i.e.openssl.cnf). I do not see the configuration being created, so the actual question is whetherlegacy.sois really loaded. Experiments with Claude confirmed that it is not loaded and is disabled-by-default (also confirmed by OpenSSL migration guide) - both Debian and Fedora.It is this line:
clevis/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
Line 52 in 6df9b69
In other words, I think it is useless and can be removed.