ssh, sshd, and Apache Enable OpenSSL pkcs11 Engine by Default on T4, T4+ Platforms (18762585, 18764604) - Oracle® Solaris 11.2 Release Notes

Oracle^® Solaris 11.2 Release Notes

Exit Print View

» ...Documentation Home » Oracle Solaris 11.2 Information Library » Oracle^® Solaris 11.2 Release Notes » Runtime Issues » Security Issues » ssh, sshd, and Apache Enable OpenSSL pkcs11 ...

Updated: May 2015

Oracle^® Solaris 11.2 Release Notes

Document Information

Using This Documentation

Chapter 1 Before You Begin

Chapter 2 Installation Issues

Chapter 3 Update Issues

Chapter 4 Runtime Issues

Firmware Issues

x86: Some Systems With BIOS Firmware Do Not Boot If the EFI_PMBR Entry in the Master Boot Record Is Not Active (15796456)

SPARC: GPT Labeled Disk Support

x86: Booting in UEFI Mode From the ISO Image Is Very Slow on Oracle VM VirtualBox

x86: Oracle Solaris Does Not Boot on Disks Using Older Emulex FC HBA Cards (15806304)

ZFS Should Retry or Abort an Entire Transaction When a WCE LUN Gets a Power-On-Reset (15662604)

System Configuration Issues

SPARC: System Fails to Boot an iSCSI LUN on an iSCSI Storage Array (15775115)

root.sh Fails to Start nodeapps for IPv4 or IPv6 in an Oracle Solaris Zone (19080861, 18922918)

File System Issue

Issues When Replacing or Using New Advanced Format Disk Drives on Oracle Solaris Systems

System Administration Issues

svccfg validate Command Fails on a Split Manifest (15891161)

x86: ZFS Pool Information Becomes Stale After Running the stmsboot Command With e Option (15791271)

LDAP Warnings During System Boot (15805913)

Console Message Displayed During Boot (16756035)

SPARC: Suspending an M5000 Server Might Hang the System (18552774)

SPARC: D-Bus Kernel Heap Corruption When Attempting to Remove a Bus Device (18435472)

SPARC: 64-bit: PCIe Express Module Systems Might Intermittently Panic (18996506)

solaris10 Branded Zone Installation Fails If the fs Resources Are Added to the Zone Configuration (19976804)

Networking Issues

addrconf Addresses Cannot Be Configured as IPMP Test Addresses (16885440)

SPARC: Creating a VNIC Fails If a Physical NIC Is Used as net-dev (19188703)

DLMP Does Not Work on an SR-IOV Virtual Function or a Virtual Network Device in a Guest Domain (17656120)

Security Issues

ssh, sshd, and Apache Enable OpenSSL pkcs11 Engine by Default on T4, T4+ Platforms (18762585, 18764604)

ktkt_warn Service Is Disabled by Default (15774352)

Kernel Zones Issues

Boot Arguments to the reboot Command Are Ignored (18177344)

Kernel Zones Using Virtual CPUs Might Block Processor Set Creation or CPU Dynamic Reconfiguration (18061724)

Kernel Zones Interfere With hardware-counter-overflow Interrupt (18355260)

SPARC: Kernel Zones Block Live Migration of Guest Domains (18289196)

ipadm Fails With Insufficient Memory Error (18134702)

zoneadm install and clone Subcommands Do Not Check for Duplicate Storage Devices (18685017)

Evolution Application Crashes After New Installation (15734404)

SPARC: Desktop Issues With USB Keyboard, Mouse, and Physical Monitor (15700526)

D-Bus System Daemon Has a Small File Descriptor Limit for Sun Ray or XDMCP Server Use (15812274)

Trusted Extensions Desktop Users Are Logged Out After 15 Minutes (18462288)

Graphics and Imaging Issue

x86: NVIDIA Graphics Driver Upgrade (18098413)

Performance Issues

ZFS Data Cannot Be Easily Reclaimed (15942559)

Listing LUNs Takes Over a Minute on M6-32 Servers (18125373)

SPARC: EP Service Creates Defunct Processes Every 24 Hours (16311652)

Runnable Thread Occasionally Stays in Run Queue for a Longer Period (17697871)

Hardware Issues

SPARC: Devices on PCI Box Cannot Be Configured by hotplug on Fujitsu M10 Systems (15813959)

SPARC: Fujitsu M10 Server Panics During Process Exit (19230723)

fault.io.usb.eps Warning on the USB Ethernet Device (16268647)

Rebooting Root Domain Causes Oracle VM Server for SPARC to Panic (18936032)

SPARC: Running VTS on a T3-2 Server Causes Fatal Error in the PCIe Fabric (19137125)

Appendix A Previously Documented Bugs That Are Fixed in the Oracle Solaris 11.2 Release

Language:

`ssh`, `sshd`, and Apache Enable OpenSSL `pkcs11` Engine by Default on T4, T4+ Platforms (18762585, 18764604)

Starting with Oracle Solaris 11.2, T4 instructions and Intel hardware acceleration are embedded in the OpenSSL internal crypto implementation for non-FIPS-140 OpenSSL. This change affects the performance of ssh, sshd, and Apache because these services use the OpenSSL pkcs11 engine by default on T4 systems and later versions.

Workaround: To obtain maximum performance, disable the OpenSSL pkcs11 engine.

Perform the following steps to disable the pkcs11 engine for ssh and sshd services:

Add the following line to the /etc/ssh/ssh_config and /etc/ssh/sshd_config files:
```
UseOpenSSLEngine no
```
Restart the ssh service.
```
# svcadm restart ssh
```

Perform the following steps to disable the pkcs11 engine for the apache22 service:

Comment out the following line in the /etc/apache2/2.2/conf.d/ssl.conf file:
```
# SSLCryptoDevice pkcs11
```
Restart the apache22 service.
```
# svcadm restart apache22
```

Note - This issue is applicable only for the OpenSSL non-FIPS-140 module. For information about the OpenSSL FIPS-140 module, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2.

Copyright © 2014, 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices