[PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon calderon.thomas at gmail.com
Mon Nov 3 22:30:57 UTC 2014


Hi Piotr,

I was not aware that some efforts were ongoing to use PKCS#11 devices with
nginx.
However, my experience with OpenSSL engine support is that the code is
dusty, rather limited and relies on external configuration files.
Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's
engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
OpenSSL tends to perform multiple engine initialization which can confuse
the PKCS#11 shared library. Using the engine section in openssl.cnf ties
you up with a system-wide defined middleware.

I would rather advocate for a more direct and self-contained approach.

Regards,

Thomas Calderon.

On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr at cloudflare.com> wrote:

> Hi Thomas,
>
> > This patch leverages PKCS#11 support in nginx http module using libp11.
> > This allows the private key to be stored in a dedicated hardware (or
> > software) component.
>
> Dmitrii Pichulin is already working on (IMHO) much better way to
> handle PKCS#11 via OpenSSL engines:
> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
>
> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141103/76d1d208/attachment.html>


More information about the nginx-devel mailing list