Re: [PATCH 0 of 1] allow to use engine keyform for server private key
This solution adds support for two openssl engines at least, which are currently unsupported — our gost_capi and pkcs11 one: http://www.freebsd.org/cgi/ports.cgi?query=engine_pkcs11stype=allsektion=all https://github.com/OpenSC/OpenSC/wiki/OpenSSL-engine-for-PKCS%2311-modules If you have a solution how to support them (and others) in a better way for nginx, please, describe it more clearly. Currently we do not understand why our solution is not good enough for you. On 04.07.2014 16:31, Maxim Dounin wrote: Hello! On Fri, Jul 04, 2014 at 12:18:03PM +, Пичулин Дмитрий Николаевич wrote: We looked at STORE_METHOD but didn't find any good examples. We looked at format=%s engine=% key=% at single ssl_certificate_key directive but found this way more complex. Currently, we want to add 2 directives to ngx_http_ssl_module (as seen in openssl apps args): ssl_certificate_keyform type; ssl_certificate_engine device; Type can be PEM or ENGINE with default PEM. Device defines ssl engine when type is ENGINE in a current http, server context. Will this be enough? Doesn't looks like a good solution for me. BTW, posting in text/plain, with appropriate quoting and with In-Reply-To is a plus. Thank you. ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 0 of 1] allow to use engine keyform for server private key
Hello! On Fri, Jul 04, 2014 at 12:18:03PM +, Пичулин Дмитрий Николаевич wrote: We looked at STORE_METHOD but didn't find any good examples. We looked at format=%s engine=% key=% at single ssl_certificate_key directive but found this way more complex. Currently, we want to add 2 directives to ngx_http_ssl_module (as seen in openssl apps args): ssl_certificate_keyform type; ssl_certificate_engine device; Type can be PEM or ENGINE with default PEM. Device defines ssl engine when type is ENGINE in a current http, server context. Will this be enough? Doesn't looks like a good solution for me. BTW, posting in text/plain, with appropriate quoting and with In-Reply-To is a plus. Thank you. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH 0 of 1] allow to use engine keyform for server private key
Me and my company will be happy to see any method to load private key from engine with any parameter names. What shall I do? Change parameters to format= and engine=? Try to use STORE_get_certificate(), STORE_get_private_key() before using ENGINE_load_private_key()? Do you have any instruction which can help me to check the patch? To do not break compilation with mail module again etc. Tatiana Kondakova mailto: kondak...@cryptopro.ru ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH 0 of 1] allow to use engine keyform for server private key
Hello. I'm a cryptography library developer (http://www.cryptopro.ru/). I want to make our server-side TLS worked with nginx, and we have engine for openssl, which successfully works with openssl utilities. But for security reasons we can not export the private key to a file, so our engine needs something like keyform ENGINE option. This option makes possible to use nginx with our library, with PKCS#11 tokens and with any other engine, which does not support private keys export. ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 0 of 1] allow to use engine keyform for server private key
Hello! On Tue, Mar 25, 2014 at 04:45:46PM +0400, Tatiana Kondakova wrote: Hello. I'm a cryptography library developer (http://www.cryptopro.ru/). I want to make our server-side TLS worked with nginx, and we have engine for openssl, which successfully works with openssl utilities. But for security reasons we can not export the private key to a file, so our engine needs something like keyform ENGINE option. This option makes possible to use nginx with our library, with PKCS#11 tokens and with any other engine, which does not support private keys export. While this functionality looks interesting, the patch certainly needs more work before it will be possible to commit it. In particular, the patch will break compilation with mail module, not even talking about style issues. I also can't say I like the way how it's expected to be configured. There should be a better way to do this, probably some parameter of the ssl_certificate_key directive (format=? or rather engine=?) and/or some specific path prefix to load a key from an engine. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 0 of 1] allow to use engine keyform for server private key
Hello, While this functionality looks interesting, the patch certainly needs more work before it will be possible to commit it. In particular, the patch will break compilation with mail module, not even talking about style issues. I also can't say I like the way how it's expected to be configured. There should be a better way to do this, probably some parameter of the ssl_certificate_key directive (format=? or rather engine=?) and/or some specific path prefix to load a key from an engine. On top of what Maxim already wrote, I'd like to see the counterpart for the ssl_certificate directive. Also, I prefer the engine= parameter. Best regards, Piotr Sikora ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 0 of 1] allow to use engine keyform for server private key
Hello! On Tue, Mar 25, 2014 at 11:24:37AM -0700, Piotr Sikora wrote: Hello, While this functionality looks interesting, the patch certainly needs more work before it will be possible to commit it. In particular, the patch will break compilation with mail module, not even talking about style issues. I also can't say I like the way how it's expected to be configured. There should be a better way to do this, probably some parameter of the ssl_certificate_key directive (format=? or rather engine=?) and/or some specific path prefix to load a key from an engine. On top of what Maxim already wrote, I'd like to see the counterpart for the ssl_certificate directive. I too think it would be good, but I'm not sure it's at all possible. OpenSSL interface seems to allow to load public key from an engine, but not a certificate. I may be wrong though. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 0 of 1] allow to use engine keyform for server private key
Hey Maxim, I too think it would be good, but I'm not sure it's at all possible. OpenSSL interface seems to allow to load public key from an engine, but not a certificate. I may be wrong though. We could use engine's STORE_METHOD, as it gives us access to: STORE_get_certificate(), STORE_get_private_key(), STORE_get_crl() and STORE_get_arbitrary() and use the old ENGINE_load_private_key() as the fallback in case engine doesn't provide STORE_METHOD. Best regards, Piotr Sikora ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel