Francisco Corella wrote:
Hi Goetz,
OpenSSL comes with build in support for different crypto hardware (called ENGINE, in crypto/engine/). But support for additional crypto engines may be added on run time.
Please search the OpenSSL web pages.
I think I understand, at least in principle, how to use hardware crypto with mod_ssl. But there are two ways of doing it, depending of where you keep the server key:
(a) You may keep the server key in a file specified by the directive SSLCertificateKeyFile, and send the key to the hardware for each operation that requires use of the key. Or,
(b) You may keep the server key in the hardware, and tell the hardware what key to use for each operation in some ad-hoc fashion.
My understanding is that most hardware crypto uses option (a). I know that nCipher lets you use option (a) or option (b), but using option (b) requires buying the tamperproof card called "nForce", which is very expensive, instead of the vanilla "nFast" card.
What I was asking is whether there is other crypto hardware out there that lets you use option (b). I'm hoping to find something less expensive than nForce.
Eracom has a crypto card. It is accessed with a PKCS#11 interface.
There are several PKCS#11 ENGINE implementations for OpenSSL available. (One from Bull, one from eracom, may be others)
Have a look at one of these.
Bye
Goetz
-- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
smime.p7s
Description: S/MIME Cryptographic Signature