OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Jul 31 14:37:00 UTC 2015


On Sun, 2015-07-26 at 00:20 +0800, Anthony Alba wrote:
> Hi developers,
> 
> I am using nginx with an OpenSSL engine (Safenet Luna) which is a
> wrapper over PKCS#11.
> The handles return by ENGINE_load_private_key cannot be used in child
> processes, aka, workers due to PKCS#11, thus causing SSL connection
> errors.

Unfortunately nginx doesn't have direct support for PKCS #11 and relies
on the very primitive engine_pkcs11 which doesn't have work (yet) with
applications that fork. To make that work you need to get
engine_pkcs11, and libp11 from their git repositories [0], [1] and
apply [2] on top.

I have a tracker for these issues at:
https://bugzilla.redhat.com/show_bug.cgi?id=1236526

regards,
Nikos

[0]. https://github.com/OpenSC/engine_pkcs11
[1]. https://github.com/OpenSC/libp11
[2]. https://github.com/OpenSC/libp11/pull/27








More information about the nginx-devel mailing list