patch to allow loading PKCS #11 URLs
Nikos Mavrogiannopoulos
nmav at redhat.com
Wed Jun 24 13:26:17 UTC 2015
On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote:
>
> The current support relies on engine_pkcs11, which is a 3rd party
> module (not in openssl distribution). It should be future-proof to
> have
> a way to load PKCS #11 modules which is independent of the backend
> used
> by nginx. So you could change the internal backend (for example to
> use
> libp11 directly), without requiring all nginx users to change their
> configuration files and remove the "engine:pkcs11:" part from their
> keys.
To add to this, it seems that the current PKCS #11 support in nginx is
broken. It will only work with softhsm which is a simplistic soft
module. Hardware HSMs, and more advanced soft HSMs like caml-crush
require strict PKCS #11 adherence which neither engine_pkcs11 or nginx
have. That is, they require the reinitialization of any open PKCS #11
modules and object handles after a fork.
I think, the simplest way is to solve that within engine_pkcs11 with an
atfork handler and reinitialization on re-use... but that would be
quite messy.
For more info see:
https://bugzilla.redhat.com/show_bug.cgi?id=1235284
https://github.com/ANSSI-FR/caml-crush/issues/15
regards,
Nikos
More information about the nginx-devel
mailing list