> | Has anyone tried this yet? - either using SoftHSM or a Thales HSM? > | > | I have access to a totally unconfigured Thales netShield Connect 500. > | > | Without reading *all* the manuals - anyone have a HowTo setup to make > | one of these beasties talk PKCS#11... a Goto page XX is acceptable.. > > For the FreeBSD port for 9.10 that I'm currently writing (as the beta comes > out) it seems you can only build it either with openssl or with > native-pkcs11, which is a bit strange.
Well, it's kinda the point: Our previous pkcs11 support required you to patch and build a local version of openssl with code that was originally contributed by the OpenSolaris project and has been maintained for the past few years by ISC, but has never been accepted into upstream openssl. Every crypto function used by BIND would be sent to this alterate openssl, which would then translate the call into pkcs11 primiitives and send them to the HSM. This new code uses pkcs11 for all crypto, instead of using openssl as a shim. So yes, you can build with either native pkcs11 or openssl, but not both. (The advantage of the openssl version is it can fill in functional gaps when your HSM doesn't supply *all* the pkcs11 functions. Some HSMs don't provide hashing services or random number generation, for example. If you're using such an HSM then native pkcs11 can't do all crypto things BIND needs done.) > As for trying it, no, making it compile is already somewhat a challenge... I haven't tried it with Thales personally, but one of my colleagues has. For SoftHSM, you have to build the latest v2 code out of their git repository; there's no tarball you can download as yet. Once you've built it and initialized it according to their instructions, configure BIND and test it: $ configure --enable-native-pkcs11 --with-pkcs11=/path/to/libsofthsm.so $ make $ cd bin/tests/system $ sudo sh ifconfig.sh up $ sh run.sh pkcs11 If the test passes, then pkcs11 is working. It should work the same with Thales, as long as the HSM is running and the pkcs11 provider library is accessible. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users