Using softhsm2 with openssl s_client

[fipscode]

How can I use softhsm2 with openssl's s_client? The softhsm2 initialization seems to work:

root@host:~# softhsm2-util --free --init-token --label test --so-pin 12345678 --pin 12345678
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 2087010768
root@host:~# softhsm2-util --token test --import user.key.p8 --label test --id 0000 --pin 12345678
Found slot 2087010768 with matching token label.
The key pair has been imported.
root@host:~# softhsm2-util --token test --import user.crt --import-type cert --label test --id 0000 --pin 12345678
Found slot 2087010768 with matching token label.
The certificate has been imported.
root@host:~# softhsm2-util --show-slots
Available slots:
Slot 2087010768
    Slot info:
        Description:      SoftHSM slot ID 0x7c6541d0                                      
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.7
        Firmware version: 2.7
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.7
        Firmware version: 2.7
        Serial number:    ae7a54ee7c6541d0
        Initialized:      yes
        User PIN init.:   yes
        Label:            test                            
Slot 1
    Slot info:
        Description:      SoftHSM slot ID 0x1                                             
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.7
        Firmware version: 2.7
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.7
        Firmware version: 2.7
        Serial number:                    
        Initialized:      no
        User PIN init.:   no
        Label:                                            

This is my OpenSSL setup:

root@host:~# cat /etc/openssl.cnf
[openssl_init]
providers = providers

[providers]
default = provider_default
pkcs11 = provider_pkcs11

[provider_default]
activate = 0

[provider_pkcs11]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/local/lib/softhsm/libsofthsm2.so
activate = 1
root@host:~# ls -ls /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so /usr/local/lib/softhsm/libsofthsm2.so
 193 -rw-r--r-- 1 root root   323816 Apr  1  2024 /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
5741 -rwxr-xr-x 1 root root 10921424 Feb 25 21:22 /usr/local/lib/softhsm/libsofthsm2.so

But s_client seems not to (fully) use the PKCS#11 data:

root@host:~# export OPENSSL_CONF=/etc/openssl.cnf 
root@host:~# openssl s_client -provider pkcs11 -keyform engine
40A73E8CD07B0000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:../ssl/ssl_lib.c:3326:
root@host:~# openssl s_client -provider pkcs11 -keyform engine -key 'pkcs11:'
No engine specified for loading client certificate private key
No filename or uri specified for loading
 client certificate private key

Can you provide me with the necessary s_client cmdline and some possible initialization I've missed?

Greetings,
Fabiano

[dengert]

Google for: latchset/provider examples s_client
The AI will find examples like:

openssl s_client -connect server.example.com:443
-provider pkcs11 -provider default
-cert "pkcs11:token=MyToken;object=MyClientCert;type=cert"
-key "pkcs11:token=MyToken;object=MyClientKey;type=private"

openssl s_client -connect server.example.com:443
-provider pkcs11 -provider default
-key "pkcs11:token=MyToken;pin-value=1234;object=MyClientKey;type=private"

drop the -engine as it is replaced by openssl provider.