Adding pkcs11 provider to openssl breaks openssh: PRNG is not seeded

[minfrin]

When the following file is added to enable the pkcs11 provider (which then subsequently works with openssl), ssh breaks as follows:

Little-Net-8818:~ minfrin$ ssh --version
PRNG is not seeded

Removing the file fixes the problem.

Little-Net-8818:~ minfrin$ cat /opt/local/etc/openssl/openssl.cnf.d/pkcs11.conf

[provider_sect]
pkcs11 = pkcs11_sect

[pkcs11_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
#pkcs11-module-token-pin = /etc/ssl/pinfile.txt
activate = 1

Versions:

  openssl @3_25+universal (active)
  openssl3 @3.5.2_0+universal (active)
  openssh @10.0p2_3 (active)

[jmroot (Joshua Root)]

Where does /Library/OpenSC/lib/opensc-pkcs11.so come from? Are you sure it's compatible with this version of openssl? Does using the opensc port instead make a difference?

[neverpanic (Clemens Lang)]

What does openssl list -providers print on your system? Do you still have the default provider loaded?

[neverpanic (Clemens Lang)]

This tickets sounds very similar to #68766, and indeed the openssl3 port is +universal in this report. Unfortunately the ticket does not contain the OS the reporter is on, there was no reply to my questions, and I cannot reproduce the problem.

It's possible there still is a problem with openssl +universal, potentially on older machines, although nobody else seems to be reporting other instances of #68766. I'll just close this as worksforme until somebody can reproduce.