[PATCH] Add PKCS#11 support to nginx http module

Maxim Dounin mdounin at mdounin.ru
Mon Nov 10 15:11:09 UTC 2014


Hello!

On Mon, Nov 10, 2014 at 03:54:20PM +0100, Thomas Calderon wrote:

> Hi all,
> 
> Is someone else interested in providing feedback for my patch ?

Dmitrii's patch is currently a primary candidate for inclusion.  I 
agree with Piotr - it looks much better as it doesn't introduce 
additional dependencies and more configuration directives to do 
the same thing.

> Regards,
> 
> Thomas.
> 
> On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <calderon.thomas at gmail.com>
> wrote:
> 
> > Hi Piotr,
> >
> > I was not aware that some efforts were ongoing to use PKCS#11 devices with
> > nginx.
> > However, my experience with OpenSSL engine support is that the code is
> > dusty, rather limited and relies on external configuration files.
> > Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's
> > engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
> > OpenSSL tends to perform multiple engine initialization which can confuse
> > the PKCS#11 shared library. Using the engine section in openssl.cnf ties
> > you up with a system-wide defined middleware.
> >
> > I would rather advocate for a more direct and self-contained approach.
> >
> > Regards,
> >
> > Thomas Calderon.
> >
> > On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr at cloudflare.com>
> > wrote:
> >
> >> Hi Thomas,
> >>
> >> > This patch leverages PKCS#11 support in nginx http module using libp11.
> >> > This allows the private key to be stored in a dedicated hardware (or
> >> > software) component.
> >>
> >> Dmitrii Pichulin is already working on (IMHO) much better way to
> >> handle PKCS#11 via OpenSSL engines:
> >> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> >>
> >> Best regards,
> >> Piotr Sikora
> >>
> >> _______________________________________________
> >> nginx-devel mailing list
> >> nginx-devel at nginx.org
> >> http://mailman.nginx.org/mailman/listinfo/nginx-devel
> >>
> >
> >

> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel


-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list