无法在OpenSSL中启用GOST引擎支持

Question

我试图安装SoftHSM，如here所示，这需要OpenSSL。所以我安装了OpenSSL v1.0.2j，但似乎没有捆绑的GOST支持，或者至少我找不到libgost.so在/usr/lib/openssl/engines;所以我将它从我发现的较旧版本的OpenSSL（v1.0.0k-2.1.x86_64）中取出并放入该文件夹中。

然后，按照多个论坛中的建议，我修改了文件openssl.cnf（在/usr/local/ssl）。

在行RANDFIL = $ENV::HOME/.rnd后，我说：

openssl_conf=openssl_def 

，并在文件的结尾：

# OpenSSL default section 
[openssl_def] 
engines = engine_section 

# Engine section 
[engine_section] 
gost = gost_section 

# Engine gost section 
[gost_section] 
engine_id = gost 
dynamic_path = /usr/lib/openssl/engines/libgost.so 
default_algorithms = ALL 
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet 

但仍处于SoftHSM安装它的配置阶段显示了这个错误：

checking for OpenSSL GOST support... Cannot GOST engine 
configure: error: OpenSSL library has no GOST support 

任何帮助将不胜感激！

如果我运行此命令：openssl ciphers|tr ':' '\n'|grep GOST，输出为：Error configuring OpenSSL

Answer 1

的OpenSSL 1.1.0和以后不再包括GOST引擎。 From the changelog:

*) The GOST engine was out of date and therefore it has been removed. An up 
    to date GOST engine is now being maintained in an external repository. 
    See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains 
    support for GOST ciphersuites (these are only activated if a GOST engine 
    is present). 
    [Matt Caswell] 

您从OpenSSL的1.0.0k复制的GOST引擎的版本可能是使用OpenSSL 1.1.0不兼容。在更新日志中提到的站点获取更新的站点。