Could not bind to the requested symbol name (OpenSSL)

mSTYX · August 29, 2022, 7:07am

Heyho,

new week, new problems …

i can’t create_root_cert.ini

I use:

openssl:
Installiert: 1.1.1n-0+deb11u3
Installationskandidat: 1.1.1n-0+deb11u3
Versionstabelle:
*** 1.1.1n-0+deb11u3 500
500 Index of /debian bullseye/main amd64 Packages
500 Index of /debian-security bullseye-security/main amd64 Packages
100 /var/lib/dpkg/status

I will do this command

openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key myverylongkey -new -x509 -days 3650 -sha512 -extensions v3_ca -out …/certs/root.crt engine “pkcs11” set.

I get thus error:

139879345423680:error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:…/crypto/dso/dso_dlfcn.c:188:symname(EVP_PKEY_get_base_id): /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so: undefined symbol: EVP_PKEY_get_base_id
139879345423680:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:…/crypto/dso/dso_lib.c:186:

What do I have to do to get the missing symbols? I found some hints on “stackoverflow” but they were related to osX and others

Thanks in Advanced

sc-hsm · August 29, 2022, 7:42am

I would recommend to use XCA instead, which is a frontend for OpenSSL that has PKCS#11 support integrated and that works well with the HSM.

I guess the problem is caused by a mismatch between OpenSSL and the installed OpenSC version. The OpenSSL package is progressing much faster than OpenSC and the API is frequently breaking.

That is the reason why we have a separate tooling in OpenSCDP and the PKI-as-a-Service Portal, which does not need complicated layers like PKCS#11 and engine-pkcs11.

mSTYX · August 29, 2022, 9:04am

thanks for your fast replay…

But, i don’t use a GUI. I have a “Server based” install (debian bullseye)
i will try to find out more about the two “sturgeon packages”

sc-hsm · August 29, 2022, 9:18am

Then my recommendation is to compile matching releases of OpenSC and engine-pkcs11 locally. You might also find additional information in the OpenSC project on Github.

saper · August 29, 2022, 9:40pm

You didn’t tell us how did you get pkcs11 engine installed.

This is probably because your pkcs11.so engine has been compiled for new OpenSSL 3.x and you are using OpenSSL 1.1.1 or you are running into Misleading error message(undefined symbol: EVP_PKEY_get_base_id) with engine load from OpenSSL1.1.1n · Issue #17962 · openssl/openssl · GitHub

See /docs/manmaster/man3/EVP_PKEY_get_base_id.html for more background.

mSTYX · September 19, 2022, 12:25pm

the same again… ok

saper · September 24, 2022, 11:36pm

pardon?

mSTYX · September 26, 2022, 5:34am

Parlez-vous français ? ?

Good Morning,

Sorry for being too brief here: I have produced the same problem again. I keep running into “incompatible packages” over and over again.

For the moment, we are consolidating again &Thanks for the support here, I’ll stay tuned!