MIME-Version: 1.0 In-Reply-To: <530E0424.1030407@redhat.com> X-Mailer: MIME-tools 5.428 (Entity 5.428) Content-Disposition: inline References: <530E0424.1030407@redhat.com> Content-Type: text/plain; charset="UTF-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: Content-Length: 1184 On Wed Feb 26 15:11:58 2014, pspacek@redhat.com wrote: > I'm trying to test BIND 9.10.0b1 with SoftHSM 1.3.3-4.fc20.x86_64 > and it doesn't work. => it can't work: SoftHSM v1 (vs v2) doesn't implement some required PKCS#11 mechanisms. BTW the pkcs11-tokens application was created to check this point. > I'm trying to make it work for some time now but it seems like > regression introduced some time after BIND 9.9.4-P2 to me. => native PKCS#11 support was introduced only in 9.10 so there is no regression. BTW the OpenSSL PKCS#11 engine (in the sign-only mode) should still work with SoftHSMv1. > $ ltrace pkcs11-list => the PKCS#11 support is now included in the ISC library when --with-pkcs11 in configured so the initialisation failure is common. > The same version of SoftHSM works with pkcs11-list from BIND 9.9.4-P2: => BIND 9.9.4 has no native PKCS#11 support so can't be wrongly configured with a too incomplete PKCS#11 provider... A question: do you believe we should covert the failure into a warning for PKCS#11 tools? It could be more user friendly but at another hand if someone ignores the warning it won't change the fact that *all* other tools will fail...