Hello,
I'd like to start a discussion about Hardware Security Module (HSM)
support for
mod_ssl. You may know that OpenSSL supports different HW engines. There
is also
support for PKCS#11 devices, a standard for communication with crypto
devices -
e.g. HSMs or Smartcards. Some HSM vendors support mod_ssl and their HSM
with a
modified OpenSSL/mod_ssl version. But support is limited to 1.3.X
versions of Apache as
far as we know.
There seems to be no standard interface for mod_ssl with HSM
support for private key protection and operations. We decided to extend
mod_ssl
for usage with an HSM. We have a first prototype ("prealpha") with
limited
functionality now.
The limitations:
- Supports only one virtual host
- Supports no keys from files at the moment
- Loads HSM PIN from the OpenSSL.cnf file (No handler implemented at the
moment)
- Certificate comes from file (not really a limitation...)
What it does:
- Private key is no longer in a file, it's in the secure HSM store
- Private key operations are processed on the HSM
The HSM configuration happens in the OpenSSL.cnf file. In httpd_ssl.conf
we introduced two additional parameters.
Path to the OpenSSL config (Module global):
SSLEngineConfig C:/Apache22/conf/openssl.cnf
Reference describing the private key (Per virtual host):
SSLCertificateKeyReference
pkcs11#slot_0-id_65A0A10FFCE5B514CC228640C85373BB92C2DCD4
The reference descriptor has the following format:
<engineName>#<keyIdentifier>
<engineName> refers to the engine defined in openssl.cnf. The
<keyIdentifier>
part depends on the engine referred before. This two chunks are
separated with
'#'. In the sample above we address a PKCS#11 device and use the private
key
with id 65A0A10FFCE5B514CC228640C85373BB92C2DCD4 on slot 0. A sample
file of the
OpenSSL config is attached at the end of this post.
Is it of interest to add HSM support to mod_ssl for private key
protection in
further versions of mod_ssl? Is there already an intention to implement
this? If
it is of interest and there are no plans to implement support, it would
be great to have a
discussion here how to do that.
Kind regards
Dan
OpenSSL config file:
# PKCS11 engine config##################################################
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Apache22\\bin\\engine_pkcs11.dll"
MODULE_PATH = "C:\\Programme\\Eracom\\ProtectToolkit C
SDK\\bin\\hsm\\cryptoki.dll"
PIN = "11223344"
init = 0
