Comment 13 for bug 1940656

I currently do not have a more regular smartcard setup to test out a hardware pk11 engine with openssl, which is typically the most common one. But I can use software gost engine to test out that algos provided by the engine operate correctly.

Installed openssl from proposed, and gost engine.

$ dpkg -l | grep -e 1.1.1f -e openssl

ii libengine-gost-openssl1.1 1.1.0.3-1 amd64 Loadable module for openssl implementing GOST algorithms
ii libssl1.1:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - cryptographic utility

Without engine configured, connectivity fails to GOST only website:

# openssl s_client -connect tlsgost.cryptopro.ru:443
CONNECTED(00000003)
140163445085504:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:

Configured gost engine, and connect to GOST only website:

# openssl s_client -connect tlsgost.cryptopro.ru:443
CONNECTED(00000003)
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
verify error:num=21:unable to verify the first certificate
verify return:1
...
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
...
GET /
...
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>

Connectivity using algos provided by a crypto engine worked.

Note that certificate was not verified, as we don't currently ship GOST CA certificates.