Nginx HSM integration for SSL termination
gaurav gupta
1989.gaurav at googlemail.com
Mon Jun 15 14:28:27 UTC 2015
Hello Maxim,
Thanks for your prompt response. OpenSSL engine responsible for the
behavior makes lot of sense. I am sorry since "pkey =
ENGINE_load_private_key(engine, (char *) last, 0, 0);" confused me and made
me assume that its getting loaded during startup.
I am using engine_pkcs11 to integrate with HSM. I will dive deeper in the
engine code to understand and tweak behavior.
Thanks again for your help.
On Mon, Jun 15, 2015 at 7:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:
>
> > Hello Folks,
> >
> > Currently we store ssl private keys in file on production servers. We are
> > looking to move SSL keys to HSM for security reasons so private key never
> > leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
> > to HSM so keys are inaccessible, but could not find any direct
> integration
> > for nginx.
> >
> > On some search I found Dmitri's patch
> > http://forum.nginx.org/read.php?29,251983,255297#msg-255297 to support
> > engine Keyform to load SSL key. I was able to get it working and work
> like
> > magic, But as far as I understand its still loaded in memory every time
> > nginx starts. Benefit of loading ssl key from HSM is that key is not
> stored
> > in plain text file, but its still in memory.
> >
> > Can you please suggest how can we use HSM to perform Asym crypto
> operations
> > as well so private key never leave HSM.
> >
> > PS: I found accessl https://github.com/gozdal/accessl which makes use of
> > openssl engine mechanism to offload Key storage and crypto operations.
>
> The patch in question was committed in 1.7.9, and available all
> recent versions of nginx. It allows to load keys from arbitrary
> OpenSSL engines, and what "load" means depends on the engine used.
> That is, it's up to OpenSSL engine to avoid actual loading of keys
> into memory.
>
> --
> Maxim Dounin
> http://nginx.org/
>
--
Thanks & Regards,
Gaurav Gupta
7676-999-350
"Quality is never an accident. It is always result of intelligent effort" -
John Ruskin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150615/8bcded1d/attachment.html>
More information about the nginx-devel
mailing list