Comment 9 for bug 2004676

I'm not sure the rdrand engine is a good test. I was thinking about:

- install the pkcs11 engine: sudo apt install libengine-pkcs11-openssl
- enable it in /etc/ssl/openssl.cnf:
--- /etc/ssl/openssl.cnf.orig 2023-09-25 12:20:32.101311003 +0000
+++ /etc/ssl/openssl.cnf 2023-09-24 15:20:39.949764703 +0000
@@ -53,6 +53,15 @@
 [openssl_init]
 providers = provider_sect
 ssl_conf = ssl_sect
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+MODULE_PATH = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
+init = 0

 # List of providers to load
 [provider_sect]

- confirm it's available:
$ openssl list -engines
Engines:
rdrand
dynamic
pkcs11 <---

- tell openvpn to use it. This is the big one. With the version in jammy currently (2.5.5-1ubuntu3.1), at least pkcs11 is now listed:

$ openvpn --show-engines
OpenSSL Crypto Engines

Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]
pkcs11 engine [pkcs11]

But I don't know yet how to use it. The idea would be to setup an openvpn peer with a certificate for authentication, but using the pkcs11 engine on that side. This involves smart cards, or software emulation of SCs, like done in the libp11 dep8 engine test perhaps. I tried with TPM, but the TPM openssl engine is not working (even found a bug in LP about it), and was deprecated in favor of the TPM provider, which works.

I'll see if I can find some time to try to set this up, but also feel free to start without me :)