[PATCH] Add PKCS#11 support to nginx http module
calderon.thomas at gmail.com
Mon Nov 10 14:54:20 UTC 2014
Is someone else interested in providing feedback for my patch ?
On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <calderon.thomas at gmail.com>
> Hi Piotr,
> I was not aware that some efforts were ongoing to use PKCS#11 devices with
> However, my experience with OpenSSL engine support is that the code is
> dusty, rather limited and relies on external configuration files.
> Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's
> engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
> OpenSSL tends to perform multiple engine initialization which can confuse
> the PKCS#11 shared library. Using the engine section in openssl.cnf ties
> you up with a system-wide defined middleware.
> I would rather advocate for a more direct and self-contained approach.
> Thomas Calderon.
> On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr at cloudflare.com>
>> Hi Thomas,
>> > This patch leverages PKCS#11 support in nginx http module using libp11.
>> > This allows the private key to be stored in a dedicated hardware (or
>> > software) component.
>> Dmitrii Pichulin is already working on (IMHO) much better way to
>> handle PKCS#11 via OpenSSL engines:
>> Best regards,
>> Piotr Sikora
>> nginx-devel mailing list
>> nginx-devel at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx-devel