MIME-Version: 1.0
In-Reply-To: <rt-4.2.8-25287-1471963741-1550.43093-0-0@isc.org>
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-43093@isc.org>
 <03637BE8BAAD41E05305FCC2@ogg.in.absolight.net>
 <rt-4.2.8-36130-1471957830-1974.43093-5-0@isc.org>
 <B801FF3BB7C68ABCFAA70CDF@ogg.in.absolight.net>
 <rt-4.2.8-25287-1471959392-717.43093-5-0@isc.org>
 <rt-4.2.8-36130-1471962704-790.43093-5-0@isc.org>
 <EADD1C76636BC10D1A5EC08E@ogg.in.absolight.net>
 <rt-4.2.8-25287-1471963741-1550.43093-0-0@isc.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.2.8-25287-1471966320-861.43093-0-0@isc.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC:
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 1055

On Tue Aug 23 14:49:01 2016, mat@FreeBSD.org wrote:
> Well, no, it can take a:
> 
>   --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
>                           (PATH is for the PKCS11 provider)
> 
> Which will be the default, but it is not mandatory, all commands can take a
> "-E /where/engine" argument, which is the way the port goes.  I tested it
> with softhsm way back when BIND9 9.10 came out, and it was working just
> right :-)

=> PKCS#11 stuff comes in 2 parts: some PKCS#11 tools which
use the --with-pkcs11, and the native PKCS#11 support which
uses PKCS#11 (vs OpenSSL) for all crypto operations.
The native PKCS#11 is enabled by --enable-native-pkcs11
and relies on the --with-pkcs11 to adjust the code to what
the HSM supports (at configure time).
 BTW this is required because the only HSM which passes
the system tests is SoftHSMv2 with the OpenSSL backend.
All others fail more or less seriously (with the last patch
they are still usable in production, before it was true
only for SoftHSMv2 and the Thales nCipher...).