Regression: When using openssl pkcs11, the crypto engine fails to be found. #17617
Description
I did this
mTLS connections are broken when private key is stored in an HSM and accessed via openssl pkcs11 engine:
$ curl --cert /cfg/certmgmt/device-cert-staging.pem --key 'pkcs11:type=private;pin-value=1234;object=TEST_KEYPAIR' --key-type ENG --engine pkcs11 --header 'Content-Type: application/x-www-form-urlencoded' --header 'Content-Type: text/plain' --data '<encoded-data-redacted>' https://example.com
curl: (53) SSL crypto engine not found
I expected the following
With curl version 8.12.1, connecting to a server using mTLS when the private key for a client certificate is stored in an HSM and accessed via openssl pkcs11 engine work fine. Expected it to continue working in 8.14.1 and master.
curl/libcurl version
curl 8.14.1 (aarch64-trimble-linux-gnu) libcurl/8.14.1 OpenSSL/3.5.0 zlib/1.3.1 libidn2/2.3.8 nghttp2/1.65.0
Release-Date: 2025-06-04
Protocols: file ftp ftps http https ipfs ipns
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets
Bug was introduced in this commit:
commit f2ce6c46b9dcc46ced0ce43fa95176ea7599a854
Author: Daniel Stenberg <daniel@haxx.se>
Date: Tue Apr 8 11:45:17 2025 +0200
openssl: enable builds for *both* engines and providers
OpenSSL3 can in fact have both enabled at once. Load the provider and
key/cert appropriately. When loading a provider, the user can now also
set an associated "property string".
Work on this was sponsored by Valantic.
Closes #17165
This fix worked for me:
operating system
Linux bedrock-ttc-wsr-02 6.12.25-v8-16k #1 SMP PREEMPT Wed Apr 30 10:08:58 UTC 2025 aarch64 GNU/Linux
Yocto image built off of master where curl was recently updated from 8.12.1 to 8.14.1.