On Thu, Mar 28, 2024 at 08:26:58AM +0800, Richard Chan wrote: > Hello, > > This is an RFC to recreate private keys in the worker process > for PKCS#11, so that HSM keys can be used in -W mode. > > - ssl_ckch.c: add map of ckch_data to PEM data > - ssl_sock.c: add map of SSL_CTX* to ckch_data > - maps are implemented using buckets of linked lists > it is explicit and in the code for easier review instead of using > more optimized hashmap implementations > - when the SSL context is created and the correct SSL_CTX is assigned > with SSL_use_SSL_CTX > the private key data is retrieved just once once, cached, and installed > into the > SSL_CTX; > this is done in the worker process > - the PEM data has an arbitrary limit of 16384 bytes >
Hello Richard, I'd rather not add another cache on top of the current cache system, it will complexify the loading and we are trying to simplify it. Did you identify why the fork was causing an issue? We should probably try to understand this before, it could be something stupid in haproxy's code or in the pkcs11 provider. For 3.1 I plan to move the configuration loading in the worker so you won't have this problem anymore. We still need to validate that everything will be compatible but I have good hope that it's doable and will cleanup a lot of startup code. There is an experimental branch there https://github.com/haproxy/haproxy/commits/20240131-mworkerv3-rewrite/ It does not do much for now but it could be enough to test the startup with an HSM. I'll try to test this when I have some time. Regards, -- William Lallemand
