Nginx HSM integration for SSL termination
1989.gaurav at googlemail.com
Mon Jun 15 14:28:27 UTC 2015
Thanks for your prompt response. OpenSSL engine responsible for the
behavior makes lot of sense. I am sorry since "pkey =
ENGINE_load_private_key(engine, (char *) last, 0, 0);" confused me and made
me assume that its getting loaded during startup.
I am using engine_pkcs11 to integrate with HSM. I will dive deeper in the
engine code to understand and tweak behavior.
Thanks again for your help.
On Mon, Jun 15, 2015 at 7:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:
> > Hello Folks,
> > Currently we store ssl private keys in file on production servers. We are
> > looking to move SSL keys to HSM for security reasons so private key never
> > leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
> > to HSM so keys are inaccessible, but could not find any direct
> > for nginx.
> > On some search I found Dmitri's patch
> > http://forum.nginx.org/read.php?29,251983,255297#msg-255297 to support
> > engine Keyform to load SSL key. I was able to get it working and work
> > magic, But as far as I understand its still loaded in memory every time
> > nginx starts. Benefit of loading ssl key from HSM is that key is not
> > in plain text file, but its still in memory.
> > Can you please suggest how can we use HSM to perform Asym crypto
> > as well so private key never leave HSM.
> > PS: I found accessl https://github.com/gozdal/accessl which makes use of
> > openssl engine mechanism to offload Key storage and crypto operations.
> The patch in question was committed in 1.7.9, and available all
> recent versions of nginx. It allows to load keys from arbitrary
> OpenSSL engines, and what "load" means depends on the engine used.
> That is, it's up to OpenSSL engine to avoid actual loading of keys
> into memory.
> Maxim Dounin
Thanks & Regards,
"Quality is never an accident. It is always result of intelligent effort" -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx-devel