For example, the testing steps for ubuntu user "nx" with
nginx > openssl > engine_pkcs11 > softhsm:

1) -install softhsm (apt-get install softhsm);
-edit config (/etc/softhsm/softhsm.conf with: "0:/home/nx/slot0.db");
-init token (softhsm --init-token --slot 0 --label "NginxZero");

2) -install opensc (apt-get install opensc);
-generate key in token from step 1) (

pkcs11-tool --module=/usr/lib/softhsm/libsofthsm.so \
-l -k -d 0 -a nx_key_0 --key-type rsa:2048

)

3) -install engine_pkcs11 (apt-get install libengine-pkcs11-openssl)

4) -install openssl (apt-get install openssl libssl-dev)
-edit config (

/etc/ssl/openssl.cnf insert after "oid_section = new_oids":

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/softhsm/libsofthsm.so
init = 0

)
-make self-signed certificate (

openssl req -engine pkcs11 -new -key id_00 -keyform engine \
-out req.pem -text -x509 -subj "/CN=NginxZero"

openssl x509 -engine pkcs11 -signkey slot_0-id_00 \
-keyform engine -in req.pem -out cert.pem

)

5) -build nginx with this patch and with-http_ssl_module
-edit config (

nginx.conf section main:

ssl_engine pkcs11;

nginx.conf section http:

server {
listen *:443;
server_name localhost;

ssl on;
ssl_certificate /home/nx/cert.pem;
ssl_certificate_key engine:pkcs11:slot_0-id_00;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;

charset UTF-8;

location / {
root /home/nx/www;
index index.html index.htm;
}
}

)

6) run/test nginx

On 12.08.2014 4:43, Maxim Dounin wrote:
> Hello!
>
> On Mon, Aug 11, 2014 at 08:36:12AM +0400, Dmitrii Pichulin wrote:
>
>> What is the current statusof this patch?
>>
>> Let us know if it has any issues.
>
> As far as I see, there are no serious problems left. There are
> various minor style issues though (like incorrect patch subject,
> use of "char" instead of "u_char", and so on). I'm going to
> cleanup these as time permits. Please ping again if it won't
> happen in a week or two.
>
> (Meanwhile, you may try to clean things yourself and post an
> updated patch.)
>
> BTW, if you have a good example of an engine to test with, this
> may be also helpful.
>

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel