Known Issues for the OpenSSL Dynamic Engine - AWS CloudHSM

Known Issues for the OpenSSL Dynamic Engine

These are the known issues for OpenSSL Dynamic Engine

Issue: You cannot install AWS CloudHSM OpenSSL Dynamic Engine on RHEL6 and CentOS6

  • Impact: The OpenSSL Dynamic Engine only supports OpenSSL 1.0.2[f+]. By default, RHEL 6 and CentOS 6 ship with OpenSSL 1.0.1.

  • Workaround: Upgrade the OpenSSL library on RHEL 6 and CentOS 6 to version 1.0.2[f+].

Issue: Only RSA offload to the HSM is supported by default

  • Impact: To maximize performance, the SDK is not configured to offload additional functions such as random number generation or EC-DH operations.

  • Workaround: Please contact us through a support case if you need to offload additional operations.

  • Resolution status: We are adding support to the SDK to configure offload options through a configuration file. The update will be announced on the version history page once available.

Issue: RSA encryption and decryption with OAEP padding using a key on the HSM is not supported

  • Impact: Any call to RSA encryption and decryption with OAEP padding fails with a divide-by-zero error. This occurs because the OpenSSL dynamic engine calls the operation locally using the fake PEM file instead of offloading the operation to the HSM.

  • Workaround: You can perform this procedure by using either the PKCS #11 Library or the AWS CloudHSM JCE Provider.

  • Resolution status: We are adding support to the SDK to correctly offload this operation. The update will be announced on the version history page once available.

Issue: Only private key generation of RSA and ECC keys is offloaded to the HSM

For any other key type, the OpenSSL AWS CloudHSM engine is not used for call processing. The local OpenSSL engine is used instead. This generates a key locally in software.

  • Impact: Because the failover is silent, there is no indication that you have not received a key that was securely generated on the HSM. You will see an output trace that contains the string "...........++++++" if the key is locally generated by OpenSSL in software. This trace is absent when the operation is offloaded to the HSM. Because the key is not generated or stored on the HSM, it will be unavailable for future use.

  • Workaround: Only use the OpenSSL engine for key types it supports. For all other key types, use PKCS #11 or JCE in applications, or use key_mgmt_util in the AWS CLI.

Issue: You cannot install OpenSSL Dynamic Engine on RHEL 8, CentOS 8, or Ubuntu 18.04 LTS

  • Impact: By default, RHEL 8, CentOS 8, and Ubuntu 18.04 LTS ship a version of OpenSSL that is not compatible with OpenSSL Dynamic Engine.

  • Workaround: Use a Linux platform that provides support for OpenSSL Dynamic Engine. For more information about supported platforms, see Supported Platforms