8

我正在尝试安装SoftHSM,如此处所示它需要 OpenSSL。所以我安装了 OpenSSL v1.0.2j,但它似乎没有捆绑 GOST 支持,或者至少我libgost.so/usr/lib/openssl/engines; 所以我从我找到的旧版本的 OpenSSL (v1.0.0k-2.1.x86_64) 中取出它并将它放在那个文件夹中。

然后,根据多个论坛的建议,我修改了文件 openssl.cnf(在 中/usr/local/ssl)。

RANDFIL = $ENV::HOME/.rnd我添加后的行中:

openssl_conf=openssl_def

在文件末尾:

# OpenSSL default section
[openssl_def]
engines = engine_section

# Engine section
[engine_section]
gost = gost_section

# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/openssl/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

但仍处于 SoftHSM 安装的配置阶段,它显示此错误:

checking for OpenSSL GOST support... Cannot GOST engine
configure: error: OpenSSL library has no GOST support

任何帮助将不胜感激!

如果我运行这个命令:openssl ciphers|tr ':' '\n'|grep GOST,输出是:Error configuring OpenSSL

4

2 回答 2

8

OpenSSL 1.1.0 及更高版本不再包含 GOST 引擎。从变更日志:

  *) The GOST engine was out of date and therefore it has been removed. An up
     to date GOST engine is now being maintained in an external repository.
     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
     support for GOST ciphersuites (these are only activated if a GOST engine
     is present).
     [Matt Caswell]

您从 OpenSSL 1.0.0k 复制的 GOST 引擎版本可能与 OpenSSL 1.1.0 不兼容。在更改日志中提到的站点上获取更新的。

于 2016-10-12T23:07:31.320 回答
4

我也遇到了同样的情况,我能够解决它,禁用 GOST 进行安装

下载

wget https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz
tar -xzf softhsm-2.3.0.tar.gz
cd softhsm-2.3.0

禁用 GOST

./configure --disable-gost

安装

sudo make install
于 2020-06-26T17:31:41.870 回答