Strong Cryptography in Solaris Zone

cryptography solaris kerberos solaris-10 zones

I got a solution: (provided by Oracle Support)

This is apparently a bug in the packaging of SUNWcry/SUNWcryr, which can not be fixed during the Solaris 10 release cycle (as said before it is fixed for me on Solaris 11).

Bug report examples: 6534506, 6759852

Workaround:

replace pkcs11_softtoken with pkcs11_softtoken_extra in cryptoadm

(within the zone)

# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=all
# cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=all

NOTE:

If the second command failed with an error no such file or directory, then you can do the alternate procedure:

(within the zone)

# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=all
# vi /etc/crypto/pkcs11.conf

Change the:

/usr/lib/security/$ISA/pkcs11_softtoken.so:enabledlist=

To:

/usr/lib/security/$ISA/pkcs11_softtoken_extra.so

Save the file and run:

# encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   256
arcfour                     8  2048
des                        64    64
3des                      128   192

you should now be good to go.

Related

Recovering from a system-wide chown?
How to force a own set of ciphers in Postfix 2.11?
Connection refused after apache update
Can't make a VirtualHost working with ipv6
Use a specific outbound IP with Docker
ok - I think I'm stuck with no way to redirect old site to new IP address
Ubuntu 16.04 - frozen mdadm array
ADFS Passive Request = "There are no registered protocol handlers"
L2TP with PEAP authentication from MacOS/iOS
How to implement Nat loopback/reflection?
How to improve Hyper-V performance
Apache redirect from http to https not working