On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote: > Hey there, Joe; No idea how I didn't detect this much sooner. I have > access to hardware security modules with PKCS11 interfaces for key > operations and would be happy to put this through it's paces. The > 2.5 docs are fairly light (note, this 2.4 patch seems to be missing > docs) on how to test this out. Pointers appreciated if you have a > working recipe.
That would be awesome. The stuff I'm not really sure about & could use better docs is: a) how to identify the right PKCS#11 URI for the key/cert objects, and b) how to set up the OpenSSL pkcs11 engine correctly so this works On recent Fedora/RHEL (b) works OOTB but I imagine this may take some effort on other systems or from-scratch builds. For testing locally I used a USB smartcard reader, setting up the card following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC If you can store a cert & private key on the token, mod_ssl will use both, but I think not all HSMs can store the cert, so you can load that from a PEM file if required and list the key only as a pkcs11: URI in SSLCertificateKeyFile. Beyond that it should "just work" if you configure per the mod_ssl docs, running "p11tool --list-tokens" listed the URI for the token, and I used: SSLCertificateFile "pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C954FFFF0200;token=Joe%20Orton%20%28OpenSC%20Card%29" Regards, Joe > > On 2019/08/28 12:15:02 [email protected] wrote: > > Author: jorton > > Date: Wed Aug 28 12:15:01 2019 > > New Revision: 1866035 > > > > URL: http://svn.apache.org/viewvc?rev=1866035&view=rev > > Log: > > Proposed mod_ssl PKCS#11 cert/key support. > > > > Modified: > > httpd/httpd/branches/2.4.x/STATUS > > > > Modified: httpd/httpd/branches/2.4.x/STATUS > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035&r1=1866034&r2=1866035&view=diff > > ============================================================================== > > --- httpd/httpd/branches/2.4.x/STATUS (original) > > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 > > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > > rpluem says: -1 for now. See further discussion at > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 > > > > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 URLs via > > the > > + OpenSSL pkcs11 engine. Includes related minor cleanups and > > + simplification to mod_ssl internals. > > + trunk patch: http://svn.apache.org/r1830819 > > + http://svn.apache.org/r1830912 > > + http://svn.apache.org/r1830913 > > + http://svn.apache.org/r1830927 > > + http://svn.apache.org/r1831168 > > + http://svn.apache.org/r1831173 > > + http://svn.apache.org/r1835240 > > + http://svn.apache.org/r1835242 > > + http://svn.apache.org/r1835615 > > + 2.4.x patch: http://people.apache.org/~jorton/mod_ssl_pkcs11.patch > > + +1: jorton, > > + > > PATCHES/ISSUES THAT ARE BEING WORKED > > [ New entries should be added at the START of the list ] > > > > > > > > > -- > Daniel Ruggeri
