Hi Piotr,

I was not aware that some efforts were ongoing to use PKCS#11 devices with
nginx.
However, my experience with OpenSSL engine support is that the code is
dusty, rather limited and relies on external configuration files.
Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's
engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
OpenSSL tends to perform multiple engine initialization which can confuse
the PKCS#11 shared library. Using the engine section in openssl.cnf ties
you up with a system-wide defined middleware.

I would rather advocate for a more direct and self-contained approach.

Regards,

Thomas Calderon.

On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr@cloudflare.com> wrote:

> Hi Thomas,
>
> > This patch leverages PKCS#11 support in nginx http module using libp11.
> > This allows the private key to be stored in a dedicated hardware (or
> > software) component.
>
> Dmitrii Pichulin is already working on (IMHO) much better way to
> handle PKCS#11 via OpenSSL engines:
> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
>
> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel