Welcome! Log In Create A New Profile

Re: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail

Forum List Message List New Topic Print View

Nikos Mavrogiannopoulos

July 31, 2015 10:38AM

On Sun, 2015-07-26 at 00:20 +0800, Anthony Alba wrote:
> Hi developers,
>
> I am using nginx with an OpenSSL engine (Safenet Luna) which is a
> wrapper over PKCS#11.
> The handles return by ENGINE_load_private_key cannot be used in child
> processes, aka, workers due to PKCS#11, thus causing SSL connection
> errors.

Unfortunately nginx doesn't have direct support for PKCS #11 and relies
on the very primitive engine_pkcs11 which doesn't have work (yet) with
applications that fork. To make that work you need to get
engine_pkcs11, and libp11 from their git repositories [0], [1] and
apply [2] on top.

I have a tracker for these issues at:
https://bugzilla.redhat.com/show_bug.cgi?id=1236526

regards,
Nikos

[0]. https://github.com/OpenSC/engine_pkcs11
[1]. https://github.com/OpenSC/libp11
[2]. https://github.com/OpenSC/libp11/pull/27

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail	Anthony Alba	908	July 25, 2015 12:22PM
Re: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail	Maxim Dounin	583	July 26, 2015 03:26PM
Re: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail	Nikos Mavrogiannopoulos	432	July 31, 2015 10:38AM
Re: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail	Nikos Mavrogiannopoulos	411	October 16, 2015 04:52AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 171

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018