[PATCH] Add PKCS#11 support to nginx http module
Thomas Calderon
calderon.thomas at gmail.com
Mon Nov 10 14:54:20 UTC 2014
Hi all,
Is someone else interested in providing feedback for my patch ?
Regards,
Thomas.
On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <calderon.thomas at gmail.com>
wrote:
> Hi Piotr,
>
> I was not aware that some efforts were ongoing to use PKCS#11 devices with
> nginx.
> However, my experience with OpenSSL engine support is that the code is
> dusty, rather limited and relies on external configuration files.
> Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's
> engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
> OpenSSL tends to perform multiple engine initialization which can confuse
> the PKCS#11 shared library. Using the engine section in openssl.cnf ties
> you up with a system-wide defined middleware.
>
> I would rather advocate for a more direct and self-contained approach.
>
> Regards,
>
> Thomas Calderon.
>
> On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr at cloudflare.com>
> wrote:
>
>> Hi Thomas,
>>
>> > This patch leverages PKCS#11 support in nginx http module using libp11.
>> > This allows the private key to be stored in a dedicated hardware (or
>> > software) component.
>>
>> Dmitrii Pichulin is already working on (IMHO) much better way to
>> handle PKCS#11 via OpenSSL engines:
>> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
>>
>> Best regards,
>> Piotr Sikora
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141110/16910c0e/attachment.html>
More information about the nginx-devel
mailing list