On Tue, Apr 21, 2026 at 03:22:04PM +0100, Christopher Staite wrote: > Hi,
Hello Christopher, > Been poking around the edges of this on the side for some time now. > > I keep looking at p11-kit and then getting put off. I contacted them about > how they would feel about this integration and they did not reply. I did see your github ticket indeed, the project doesn't seem dead but there not that much response in tickets :/ Maybe you should try to contact the maintainers by email? > The RPC protocol is internal and could change between versions. I’m not a > fan of that. > According to this issue https://github.com/p11-glue/p11-kit/issues/733 there's a negociation of the version but I don't know if it's reliable given the issue :/ > Therefore I’ve come up with the conclusion that the solution here would be to > have HAProxy fork at start-up if this is enabled in the global configuration We do have plan to have this mechanism in the master process for some features, we could probably have something like that for the PKCS#11 indeed. > and then execute all of the PKCS#11 synchronous code in that forked process. > This could then communicate with the main process over a socket that was > established when it forked. That would mean loading the PKCS#11 .so file by HAProxy directly then, that would simplify the configuration to only have 1 software to configure, but that's really much maintenance for us to have both the PKCS#11 interface and the network one. > The forking mechanism doesn’t allow the offloading as discussed elsewhere in > this thread, so perhaps we have a separate daemon distributed with HAProxy to > provide this. Essentially re-implementing p11-kit (unfortunately), but in a > limited manner for just the required functions for this feature. Since version 3.1, HAProxy doesn't initialize the whole configuration in the master anymore, only the master part is read from there, then the worker read its own configuration once it has been forked. So that's shouldn't be an issue. Personnally I find it simpler if this side binary is started by HAProxy itself so user don't have to handle a separate unit-file etc. Maybe we could have it separated at the beginning and see what we can do once it's working. > Before I go down that road I thought I’d re-visit the list for feedback. I don't know if that's a good approach, what I fear is the maintenance of the two sides, the pkcs#11 interface with the .so and the network part. It would really be better if we only have the maintenance of the network part to do. The p11-kit protocol seems versioned and negociated, maybe we could just stick to one version of the protocol? -- William Lallemand
