I currently do not have a more regular smartcard setup to test out a hardware pk11 engine with openssl, which is typically the most common one. But I can use software gost engine to test out that algos provided by the engine operate correctly.
Installed openssl from proposed, and gost engine.
$ dpkg -l | grep -e 1.1.1f -e openssl
ii libengine-gost-openssl1.1 1.1.0.3-1 amd64 Loadable module for openssl implementing GOST algorithms
ii libssl1.1:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - cryptographic utility
Without engine configured, connectivity fails to GOST only website:
Configured gost engine, and connect to GOST only website:
# openssl s_client -connect tlsgost.cryptopro.ru:443
CONNECTED(00000003)
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
verify error:num=21:unable to verify the first certificate
verify return:1
...
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
...
GET /
...
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>
Connectivity using algos provided by a crypto engine worked.
Note that certificate was not verified, as we don't currently ship GOST CA certificates.
I currently do not have a more regular smartcard setup to test out a hardware pk11 engine with openssl, which is typically the most common one. But I can use software gost engine to test out that algos provided by the engine operate correctly.
Installed openssl from proposed, and gost engine.
$ dpkg -l | grep -e 1.1.1f -e openssl
ii libengine- gost-openssl1. 1 1.1.0.3-1 amd64 Loadable module for openssl implementing GOST algorithms
ii libssl1.1:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - cryptographic utility
Without engine configured, connectivity fails to GOST only website:
# openssl s_client -connect tlsgost. cryptopro. ru:443 :error: 1425F102: SSL routines: ssl_choose_ client_ version: unsupported protocol: ../ssl/ statem/ statem_ lib.c:1941:
CONNECTED(00000003)
140163445085504
Configured gost engine, and connect to GOST only website:
# openssl s_client -connect tlsgost. cryptopro. ru:443 2001-CryptoPro- XchA-ParamSet_ 256noauth 2001-CryptoPro- XchA-ParamSet_ 256noauth GOST8912- GOST8912 2001-CryptoPro- XchA-ParamSet no auth requred.</p>
CONNECTED(00000003)
depth=0 CN = id-GostR3410-
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = id-GostR3410-
verify error:num=21:unable to verify the first certificate
verify return:1
...
New, TLSv1.0, Cipher is GOST2012-
Server public key is 256 bit
...
GET /
...
<p> TLS connection with id-GostR3410-
Connectivity using algos provided by a crypto engine worked.
Note that certificate was not verified, as we don't currently ship GOST CA certificates.