[PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon calderon.thomas at gmail.com
Mon Nov 10 15:36:10 UTC 2014


Hi Maxim,


On Mon, Nov 10, 2014 at 4:11 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Nov 10, 2014 at 03:54:20PM +0100, Thomas Calderon wrote:
>
> > Hi all,
> >
> > Is someone else interested in providing feedback for my patch ?
>
> Dmitrii's patch is currently a primary candidate for inclusion.  I
> agree with Piotr - it looks much better as it doesn't introduce
> additional dependencies and more configuration directives to do
> the same thing.
>

Well a user will need to use OpenSC's engine_pkcs11 in order to use its own
PKCS#11 library.
Although, this is an external dependency, without it, Dmitrii's patch is
pretty much useless.
As for the addition of configuration directives, a user will need to use
the global openssl.cnf in order to have a meaningful PKCS#11 configuration,
with the various shortcomings I mentioned in my previous post.

I understand that nginx team desires to minimize the various changes that
are introduced in the code base. IMHO, adding support for PKCS#11 devices
should not be overlook or simplified, it should be a first class feature
and have its mainstream support, hence its configuration directives.

Are you sure that Dmitrii's patch will allow to use dedicated key-pairs for
each site declaration.

Regards,

Thomas.


>
> > Regards,
> >
> > Thomas.
> >
> > On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <
> calderon.thomas at gmail.com>
> > wrote:
> >
> > > Hi Piotr,
> > >
> > > I was not aware that some efforts were ongoing to use PKCS#11 devices
> with
> > > nginx.
> > > However, my experience with OpenSSL engine support is that the code is
> > > dusty, rather limited and relies on external configuration files.
> > > Dmitrii's approach requires to stack the OpenSSL engine code and
> OpenSC's
> > > engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
> > > OpenSSL tends to perform multiple engine initialization which can
> confuse
> > > the PKCS#11 shared library. Using the engine section in openssl.cnf
> ties
> > > you up with a system-wide defined middleware.
> > >
> > > I would rather advocate for a more direct and self-contained approach.
> > >
> > > Regards,
> > >
> > > Thomas Calderon.
> > >
> > > On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr at cloudflare.com>
> > > wrote:
> > >
> > >> Hi Thomas,
> > >>
> > >> > This patch leverages PKCS#11 support in nginx http module using
> libp11.
> > >> > This allows the private key to be stored in a dedicated hardware (or
> > >> > software) component.
> > >>
> > >> Dmitrii Pichulin is already working on (IMHO) much better way to
> > >> handle PKCS#11 via OpenSSL engines:
> > >>
> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> > >>
> > >> Best regards,
> > >> Piotr Sikora
> > >>
> > >> _______________________________________________
> > >> nginx-devel mailing list
> > >> nginx-devel at nginx.org
> > >> http://mailman.nginx.org/mailman/listinfo/nginx-devel
> > >>
> > >
> > >
>
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141110/cc8f7a26/attachment.html>


More information about the nginx-devel mailing list