Maxim Dounin
July 05, 2015 08:02PM
Hello!

On Wed, Jun 24, 2015 at 03:26:17PM +0200, Nikos Mavrogiannopoulos wrote:

> On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote:
> >
>
> > The current support relies on engine_pkcs11, which is a 3rd party
> > module (not in openssl distribution). It should be future-proof to
> > have
> > a way to load PKCS #11 modules which is independent of the backend
> > used
> > by nginx. So you could change the internal backend (for example to
> > use
> > libp11 directly), without requiring all nginx users to change their
> > configuration files and remove the "engine:pkcs11:" part from their
> > keys.
>
> To add to this, it seems that the current PKCS #11 support in nginx is
> broken. It will only work with softhsm which is a simplistic soft
> module. Hardware HSMs, and more advanced soft HSMs like caml-crush
> require strict PKCS #11 adherence which neither engine_pkcs11 or nginx
> have. That is, they require the reinitialization of any open PKCS #11
> modules and object handles after a fork.
>
> I think, the simplest way is to solve that within engine_pkcs11 with an
> atfork handler and reinitialization on re-use... but that would be
> quite messy.
>
> For more info see:
> https://bugzilla.redhat.com/show_bug.cgi?id=1235284
> https://github.com/ANSSI-FR/caml-crush/issues/15

Yes, this was already discussed in the thread here:

http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006783.html

This is believed to be a problem in engine_pkcs11, and should be
fixed there. From nginx point of view it just uses keys from an
engine, and it's engine responsibility to handle any details,
including any reinitialization after fork() if needed.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 1073 June 19, 2015 09:50AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 452 June 19, 2015 10:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 434 June 19, 2015 10:40AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 473 June 21, 2015 09:12PM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 863 June 22, 2015 05:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 461 June 24, 2015 09:28AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 539 July 05, 2015 08:02PM

enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs]

Nikos Mavrogiannopoulos 470 July 15, 2015 02:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 144
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready