[Bug 2050017] Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

2024-05-21 Thread Frank Heimes 
Yes, I thought about
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-
provider-support/

But we can also copy it to another PPA or I can re-create it based on
your, if you prefer not to leave yours.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017

Title:
  [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd
  for openSSL 3.0 with PKCS #11 provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2050017] Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

2024-05-21 Thread Andreas Hasenack 
Which PPA do you mean,
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-
provider-support/ ? Or another one to be created?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017

Title:
  [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd
  for openSSL 3.0 with PKCS #11 provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2050017] Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

2024-05-17 Thread Frank Heimes 
The IBM team agreed upon the proposal to let's go with the PPA solution
for now, until upstream accepted (and reconsider in this case).

(So I think I'm updating the status of this ticket to 'Opinion'.)

** Changed in: ubuntu-z-systems
   Status: Triaged => Opinion

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Opinion

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017

Title:
  [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd
  for openSSL 3.0 with PKCS #11 provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2050017] Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

2024-05-06 Thread Frank Heimes 
** Summary changed:

- [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd 
for openSSL 3.0 with PKCS #11 provider
+ [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for 
openSSL 3.0 with PKCS #11 provider

** Description changed:

- Feature Freeze Exception (FFe):
- ---
- 
- Since the work on this request may take a little longer and noble's FF is
- today, this request got transferred into a feature freeze exception (FFe).
- 
  The driver for this is the need to update mod_ssl in Apache2 to support
  openssl 3.x providers, since engines are deprecated in openssl 3.x.
  
  This new functionality (openssl provider support) is required for the
  use case that one wants to protect the private key of a httpd server
  by using a PKCS#11 based (HSM based) private key for the server
  instead of using a clear key.
  
  This would subsequently open business opportunity esp. on the s390x
  platform.
  
  The diff/delta in the 2.5.x/trunk CHANGES file 
(https://github.com/apache/httpd/blob/trunk/CHANGES) is:
  "
    *) mod_ssl: Support loading certificates and private keys from the
   PKCS#11 OpenSSL engine.  [Anderson Sasaki ,
   Joe Orton]
  "
  
  In addition the reference to Revision 1914365 seems to be useful reference,
  that provides further details:
  https://svn.apache.org/viewvc?view=revision=1914365
  
  Once backports for 2.4.x are available:
  - a test build in PPA will be done (and a build log can be provided)
  - install and upgrade tests will be done (and an install log can be provided)
  
  The new package should not break any other packages that depend on it,
  since there are no changes in the dependencies (or package meta data in 
general) expected.
  
  A description of a sample setup, incl. all affected components, can be taken 
from here:
  https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
  (The sample is based on RHEL, but except the patches discussed here,
   this generally applies to other distributions as well).
  'Figure - 1' provides a graphical representation of the overall use case 
setup.
  
  The above sample setup does incl. test steps;
  look for 'Testing' --> 'Test with Apache web server'
  (Test uses "httpd -X" and "openssl s_client".)
  
  Once an Ubuntu based Apache 2.4.x test build for noble is available,
  and the logs (see above are available)
  the 'ubuntu-release' team can finally be subscribed.
  
  __
  
  Enable an E2E use case that allows to configure an Apache webserver to
  protect its private keys with an HSM that is addressable via an PKCS #11
  (signing) provider configured for an openSSL 3.0 library.
  
  Accepted for httpd > 2.4.58, see
  https://svn.apache.org/viewvc?view=revision=1914365

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017

Title:
  [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd
  for openSSL 3.0 with PKCS #11 provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs