On 27.11.2013 15:33, Dr Stephen Henson wrote: > On 27/11/2013 12:26, Nick Gearls wrote: >> Maybe it's time to remove all redundant code in mod_ssl and use all features >> of >> OpenSSL; PKCS#11 will then be automatically supported and the maintenance of >> mod_ssl will be simplified a lot. >> > > PKCS#11 support isn't native in OpenSSL though some third party ENGINEs do > include partial support. > > Completely transparent support is tricky (and in some cases impossible) due > several factors including the way PKCS#11 handles fork().
Right, that's also the major topic which https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is elaborating on. According to https://wiki.oasis-open.org/pkcs11/ShortTermItems, some fixes for https://wiki.oasis-open.org/pkcs11/MultipleCallersPerProcess might make it into PKCS#11 v2.40. Engine PKCS#11 (https://github.com/OpenSC/engine_pkcs11) hasn't seen much activity since 2010, are you aware of alternatives? Kaspar