<div dir="ltr"><div><div><div>Hi Piotr,<br><br></div><div>I was not aware that some efforts were ongoing to use PKCS#11 devices with nginx.<br></div>However, my experience with OpenSSL engine support is that the code is dusty, rather limited and relies on external configuration files.<br>Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's engine_pkcs11 which ends-up loading the real PKCS#11 middleware.<br></div><div>OpenSSL tends to perform multiple engine initialization which can confuse the PKCS#11 shared library. Using the engine section in openssl.cnf ties<br>you up with a system-wide defined middleware.<br></div><div><br>I would rather advocate for a more direct and self-contained approach.<br><br></div>Regards,<br><br></div>Thomas Calderon.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <span dir="ltr"><<a href="mailto:piotr@cloudflare.com" target="_blank">piotr@cloudflare.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Thomas,<br>
<span class=""><br>
> This patch leverages PKCS#11 support in nginx http module using libp11.<br>
> This allows the private key to be stored in a dedicated hardware (or<br>
> software) component.<br>
<br>
</span>Dmitrii Pichulin is already working on (IMHO) much better way to<br>
handle PKCS#11 via OpenSSL engines:<br>
<a href="http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html" target="_blank">http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html</a><br>
<br>
Best regards,<br>
Piotr Sikora<br>
<br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div><br></div>