[PATCH 0 of 1] allow to use engine keyform for server private key

Dmitrii Pichulin pdn at cryptopro.ru
Fri Jul 11 12:24:51 UTC 2014


This solution adds support for two openssl engines at least, which are 
currently unsupported — our gost_capi and pkcs11 one:
http://www.freebsd.org/cgi/ports.cgi?query=engine_pkcs11&stype=all&sektion=all

https://github.com/OpenSC/OpenSC/wiki/OpenSSL-engine-for-PKCS%2311-modules


If you have a solution how to support them (and others) in a better way 
for nginx, please, describe it more clearly. Currently we do not 
understand why our solution is not good enough for you.

On 04.07.2014 16:31, Maxim Dounin wrote:
> Hello!
>
> On Fri, Jul 04, 2014 at 12:18:03PM +0000, Пичулин Дмитрий Николаевич wrote:
>
>> We looked at STORE_METHOD but didn't find any good examples.
>> We looked at "format=%s engine=% key=%" at single ssl_certificate_key directive but found this way more complex.
>>
>> Currently, we want to add 2 directives to ngx_http_ssl_module (as seen in openssl apps args):
>> ssl_certificate_keyform type;
>> ssl_certificate_engine device;
>>
>> "Type" can be PEM or ENGINE with default PEM. "Device" defines ssl engine when "type" is ENGINE in a current http, server context.
>>
>> Will this be enough?
> Doesn't looks like a good solution for me.
>
> BTW, posting in text/plain, with appropriate quoting and with
> In-Reply-To is a plus.  Thank you.
>



More information about the nginx-devel mailing list