Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon
November 10, 2014 10:38AM
Hi Maxim,


On Mon, Nov 10, 2014 at 4:11 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Mon, Nov 10, 2014 at 03:54:20PM +0100, Thomas Calderon wrote:
>
> > Hi all,
> >
> > Is someone else interested in providing feedback for my patch ?
>
> Dmitrii's patch is currently a primary candidate for inclusion. I
> agree with Piotr - it looks much better as it doesn't introduce
> additional dependencies and more configuration directives to do
> the same thing.
>

Well a user will need to use OpenSC's engine_pkcs11 in order to use its own
PKCS#11 library.
Although, this is an external dependency, without it, Dmitrii's patch is
pretty much useless.
As for the addition of configuration directives, a user will need to use
the global openssl.cnf in order to have a meaningful PKCS#11 configuration,
with the various shortcomings I mentioned in my previous post.

I understand that nginx team desires to minimize the various changes that
are introduced in the code base. IMHO, adding support for PKCS#11 devices
should not be overlook or simplified, it should be a first class feature
and have its mainstream support, hence its configuration directives.

Are you sure that Dmitrii's patch will allow to use dedicated key-pairs for
each site declaration.

Regards,

Thomas.


>
> > Regards,
> >
> > Thomas.
> >
> > On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <
> calderon.thomas@gmail.com>
> > wrote:
> >
> > > Hi Piotr,
> > >
> > > I was not aware that some efforts were ongoing to use PKCS#11 devices
> with
> > > nginx.
> > > However, my experience with OpenSSL engine support is that the code is
> > > dusty, rather limited and relies on external configuration files.
> > > Dmitrii's approach requires to stack the OpenSSL engine code and
> OpenSC's
> > > engine_pkcs11 which ends-up loading the real PKCS#11 middleware.
> > > OpenSSL tends to perform multiple engine initialization which can
> confuse
> > > the PKCS#11 shared library. Using the engine section in openssl.cnf
> ties
> > > you up with a system-wide defined middleware.
> > >
> > > I would rather advocate for a more direct and self-contained approach.
> > >
> > > Regards,
> > >
> > > Thomas Calderon.
> > >
> > > On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <piotr@cloudflare.com>
> > > wrote:
> > >
> > >> Hi Thomas,
> > >>
> > >> > This patch leverages PKCS#11 support in nginx http module using
> libp11.
> > >> > This allows the private key to be stored in a dedicated hardware (or
> > >> > software) component.
> > >>
> > >> Dmitrii Pichulin is already working on (IMHO) much better way to
> > >> handle PKCS#11 via OpenSSL engines:
> > >>
> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> > >>
> > >> Best regards,
> > >> Piotr Sikora
> > >>
> > >> _______________________________________________
> > >> nginx-devel mailing list
> > >> nginx-devel@nginx.org
> > >> http://mailman.nginx.org/mailman/listinfo/nginx-devel
> > >>
> > >
> > >
>
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon 1989 November 03, 2014 11:52AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Piotr Sikora 462 November 03, 2014 04:52PM

Re: [PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon 371 November 03, 2014 05:32PM

Re: [PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon 395 November 10, 2014 09:56AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Maxim Dounin 295 November 10, 2014 10:12AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon 366 November 10, 2014 10:38AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Dmitrii Pichulin 335 November 10, 2014 10:50AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon 362 November 10, 2014 10:58AM

Re: [PATCH] Add PKCS#11 support to nginx http module

Dmitrii Pichulin 474 November 11, 2014 05:08AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready