[PATCH 0 of 1] allow to use engine keyform for server private key

Maxim Dounin mdounin at mdounin.ru
Tue Mar 25 17:10:25 UTC 2014


On Tue, Mar 25, 2014 at 04:45:46PM +0400, Tatiana Kondakova wrote:

> Hello.
> I'm a cryptography library developer (http://www.cryptopro.ru/).
> I want to make our server-side TLS worked with nginx, and we 
> have engine for openssl, which successfully works with openssl 
> utilities. But for security reasons we can not export the 
> private key to a file, so our engine needs something like 
> keyform ENGINE option.
> This option makes possible to use nginx with our library, with 
> PKCS#11 tokens and with any other engine, which does not support 
> private keys export.

While this functionality looks interesting, the patch certainly 
needs more work before it will be possible to commit it.  In 
particular, the patch will break compilation with mail module, not 
even talking about style issues.

I also can't say I like the way how it's expected to be 
configured.  There should be a better way to do this, probably 
some parameter of the ssl_certificate_key directive ("format="? or 
rather "engine="?) and/or some specific path prefix to load a key 
from an engine.

Maxim Dounin

More information about the nginx-devel mailing list