NGINX Forked Operations do not get handled in the Same Session as the Master Process?
Ege Görgün
ege.gorgun at tokeninc.com
Mon Sep 28 18:59:19 UTC 2020
Hi everyone,
I hope you and your loved ones are in good health during these uncertain times.
I've been trying to integrate our physical HSM (hardware security module) devices with NGINX to offload the SSL connections through the keys that we store in our HSM devices. I've 2 scenarios with 2 different results that need your attention:
1. When I configure NGINX configuration file (i.e. etc/nginx/nginx.conf) with the following and start NGINX as a foreground process, SSL connections get handled correctly and I'm able to see the logs written to the HSM driver's log file:
master_process off;
daemon off;
1. When I remove the above mentioned parameters and run NGINX as a background process, however, I believe forked operations do not get handled in the same session as the master process of NGINX and therefore they don't see our preloaded softcard or the key objects inside it. The following is reported when an SSL connection is attempted to be made:
*1 SSL_do_handshake() failed (SSL: error:8207A060:PKCS#11 module:pkcs11_private_encrypt:Key handle invalid error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error) while SSL handshaking, client: 172.31.88.4, server: 0.0.0.0:443
Since nothing gets written to the HSM driver's log file, I believe the driver doesn't even receive any requests orginating from NGINX.
Here's what we are using:
* Thales nShield Connnect 6000+ HSM devices with the latest firmware
* Ubuntu v18.04 server distribution
* NGINX v1.16.1
* OpenSSL v1.1.1d
* OpenSC v0.20.0
* Libp11 v0.4.10
* p11-kit v0.23.21
* libengine-pkcs11-openssl v0.4.10-1 (OpenSSL engine for PKCS#11 modules)
Any suggestions/help would be greatly appreciated.
Regards,
Ege
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul etmez. This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however, sender cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200928/76731644/attachment.htm>
More information about the nginx
mailing list