David Woodhouse

Probably best to take further discussion on that to https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues as it isn't really about openconnect-sso any more. Thanks!

That looks like a Pulse (or Juniper NC) server, not AnyConnect.

> Test exposure for different PKCS#11 tokens is severely limited Little excuse for that with SoftHSM being so readily available. Feel free to lift from the OpenConnect test suite, which...

One option perhaps, if OpenSSL doesn't have a coherent answer to this, is that every case where we currently fail with `PKCS11_ALIEN_KEY` should just fall through to the previous default...

Another option for OpenSSL engine` for ourselves on the returned object. Can't do that in 1.1+ though.

> With all due respect, this PR is insane. Does any other engine do it this way? [Allegedly](https://github.com/openssl/openssl/pull/1643#issuecomment-250397927) they all do. I jjust have the strong feeling that I'm missing...

That's bikeshedding though. However the `ENGINE *` gets to `RSA_new_method ()` we still have the fundamental problem.

The one I was calling the "fundamental" problem was that fact that _(AFAICT)_ OpenSSL simultaneously requires that we - **MUST** use `ENGINE_set_RSA()` in order for the ref counting via `RSA_new_method()`...

So this didn't actually start to bite us until we supported EC, and got invoked to handle ECDHE cipher suites. Maybe they just haven't updated yet? We can probably contrive...

@levitte, you miss the point. How do we reconcile the **MUST** vs. **MUST NOT** bullet points a few comments up?