OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail

Nikos Mavrogiannopoulos nmav at
Fri Jul 31 14:37:00 UTC 2015

On Sun, 2015-07-26 at 00:20 +0800, Anthony Alba wrote:
> Hi developers,
> I am using nginx with an OpenSSL engine (Safenet Luna) which is a
> wrapper over PKCS#11.
> The handles return by ENGINE_load_private_key cannot be used in child
> processes, aka, workers due to PKCS#11, thus causing SSL connection
> errors.

Unfortunately nginx doesn't have direct support for PKCS #11 and relies
on the very primitive engine_pkcs11 which doesn't have work (yet) with
applications that fork. To make that work you need to get
engine_pkcs11, and libp11 from their git repositories [0], [1] and
apply [2] on top.

I have a tracker for these issues at:



More information about the nginx-devel mailing list