patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos nmav at
Wed Jun 24 13:26:17 UTC 2015

On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote:

> The current support relies on engine_pkcs11, which is a 3rd party
> module (not in openssl distribution). It should be future-proof to 
> have
> a way to load PKCS #11 modules which is independent of the backend 
> used
> by nginx. So you could change the internal backend (for example to 
> use
> libp11 directly), without requiring all nginx users to change their
> configuration files and remove the "engine:pkcs11:" part from their
> keys.

To add to this, it seems that the current PKCS #11 support in nginx is
broken. It will only work with softhsm which is a simplistic soft
module. Hardware HSMs, and more advanced soft HSMs like caml-crush
require strict PKCS #11 adherence which neither engine_pkcs11 or nginx
have. That is, they require the reinitialization of any open PKCS #11
modules and object handles after a fork.

I think, the simplest way is to solve that within engine_pkcs11 with an
atfork handler and reinitialization on re-use... but that would be
quite messy.

For more info see:


More information about the nginx-devel mailing list