OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail

Maxim Dounin mdounin at
Sun Jul 26 19:25:24 UTC 2015


On Sun, Jul 26, 2015 at 12:20:25AM +0800, Anthony Alba wrote:

> Hi developers,
> I am using nginx with an OpenSSL engine (Safenet Luna) which is a
> wrapper over PKCS#11.
> The handles return by ENGINE_load_private_key cannot be used in child
> processes, aka, workers due to PKCS#11, thus causing SSL connection
> errors.
> The private key seems to be loaded in ngx_ssl_certificate(); is there
> a way to tell nginx to call this function per child process?

That's not something nginx is expected to do.  It's the engine 
responsibility to properly handle fork() calls.  This was alrady 
discussed in this list at least twice.

Maxim Dounin

More information about the nginx-devel mailing list