[PATCH 0 of 1] allow to use engine keyform for server private key
mdounin at mdounin.ru
Tue Mar 25 17:10:25 UTC 2014
On Tue, Mar 25, 2014 at 04:45:46PM +0400, Tatiana Kondakova wrote:
> I'm a cryptography library developer (http://www.cryptopro.ru/).
> I want to make our server-side TLS worked with nginx, and we
> have engine for openssl, which successfully works with openssl
> utilities. But for security reasons we can not export the
> private key to a file, so our engine needs something like
> keyform ENGINE option.
> This option makes possible to use nginx with our library, with
> PKCS#11 tokens and with any other engine, which does not support
> private keys export.
While this functionality looks interesting, the patch certainly
needs more work before it will be possible to commit it. In
particular, the patch will break compilation with mail module, not
even talking about style issues.
I also can't say I like the way how it's expected to be
configured. There should be a better way to do this, probably
some parameter of the ssl_certificate_key directive ("format="? or
rather "engine="?) and/or some specific path prefix to load a key
from an engine.
More information about the nginx-devel