On Wed Feb 26 15:11:58 2014, pspacek@redhat.com wrote:
> I'm trying to test BIND 9.10.0b1 with SoftHSM 1.3.3-4.fc20.x86_64
> and it doesn't work.

=> it can't work: SoftHSM v1 (vs v2) doesn't implement
some required PKCS#11 mechanisms.
BTW the pkcs11-tokens application was created to check
this point.

> I'm trying to make it work for some time now but it seems like
> regression introduced some time after BIND 9.9.4-P2 to me.

=> native PKCS#11 support was introduced only in 9.10
so there is no regression. BTW the OpenSSL PKCS#11 engine
(in the sign-only mode) should still work with SoftHSMv1.

> $ ltrace pkcs11-list

=> the PKCS#11 support is now included in the ISC
library when --with-pkcs11 in configured so
the initialisation failure is common.

> The same version of SoftHSM works with pkcs11-list from BIND 9.9.4-P2:

=> BIND 9.9.4 has no native PKCS#11 support so
can't be wrongly configured with a too incomplete
PKCS#11 provider...

A question: do you believe we should covert
the failure into a warning for PKCS#11 tools?
It could be more user friendly but at another hand
if someone ignores the warning it won't change the
fact that *all* other tools will fail...