Known issues for the OpenSSL Dynamic Engine

Impact: The OpenSSL Dynamic Engine only supports OpenSSL 1.0.2[f+]. By default, RHEL 6 and CentOS 6 ship with OpenSSL 1.0.1.

Workaround: Upgrade the OpenSSL library on RHEL 6 and CentOS 6 to version 1.0.2[f+].

Impact: To maximize performance, the SDK is not configured to offload additional functions such as random number generation or EC-DH operations.

Workaround: Please contact us through a support case if you need to offload additional operations.

Resolution status: We are adding support to the SDK to configure offload options through a configuration file. The update will be announced on the version history page once available.

Impact: Any call to RSA encryption and decryption with OAEP padding fails with a divide-by-zero error. This occurs because the OpenSSL dynamic engine calls the operation locally using the fake PEM file instead of offloading the operation to the HSM.

Workaround: You can perform this procedure by using either the PKCS #11 library or the JCE provider.

Resolution status: We are adding support to the SDK to correctly offload this operation. The update will be announced on the version history page once available.

Impact: Because the failover is silent, there is no indication that you have not received a key that was securely generated on the HSM. You will see an output trace that contains the string "...........++++++" if the key is locally generated by OpenSSL in software. This trace is absent when the operation is offloaded to the HSM. Because the key is not generated or stored on the HSM, it will be unavailable for future use.

Workaround: Only use the OpenSSL engine for key types it supports. For all other key types, use PKCS #11 or JCE in applications, or use key_mgmt_util in the CLI.

Impact: By default, RHEL 8, CentOS 8, and Ubuntu 18.04 LTS ship a version of OpenSSL that is not compatible with OpenSSL Dynamic Engine for Client SDK 3.

Workaround: Use a Linux platform that provides support for OpenSSL Dynamic Engine. For more information about supported platforms, see Supported Platforms.

Resolution status: AWS CloudHSM supports these platforms with OpenSSL Dynamic Engine for Client SDK 5. For more information, see Supported Platforms and OpenSSL Dynamic Engine.

Impact: The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9 (9.2+). As a result, sign and verify operations with SHA-1 using the OpenSSL Dynamic Engine will fail.

Workaround: If your scenario requires the use of SHA-1 for signing/verifying existing or third-party cryptographic signatures, see Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9 (9.2+) and RHEL 9 (9.2+) Release Notes for further details.

Impact: You will receive an error if you attempt to utilize the AWS CloudHSM OpenSSL Dynamic Engine when the FIPS provider is enabled for OpenSSL versions 3.x.

Workaround: To use the AWS CloudHSM OpenSSL Dynamic Engine with OpenSSL versions 3.x, ensure that the "default" provider is configured. Read more about the default provider on the OpenSSL Website.