Re: [PATCH] allow to use engine keyform for server private key

Wed, 29 Oct 2014 07:49:07 -0700 

For example, the testing steps for ubuntu user "nx" with
nginx > openssl > engine_pkcs11 > softhsm:

1) -install softhsm (apt-get install softhsm);
   -edit config (/etc/softhsm/softhsm.conf with: "0:/home/nx/slot0.db");
   -init token (softhsm --init-token --slot 0 --label "NginxZero");

2) -install opensc (apt-get install opensc);
   -generate key in token from step 1) (

   pkcs11-tool --module=/usr/lib/softhsm/libsofthsm.so \
               -l -k -d 0 -a nx_key_0 --key-type rsa:2048

   )

3) -install engine_pkcs11 (apt-get install libengine-pkcs11-openssl)

4) -install openssl (apt-get install openssl libssl-dev)
   -edit config (

   /etc/ssl/openssl.cnf insert after "oid_section = new_oids":

   openssl_conf            = openssl_def
   [openssl_def]
   engines = engine_section
   [engine_section]
   pkcs11 = pkcs11_section
   [pkcs11_section]
   engine_id = pkcs11
   dynamic_path = /usr/lib/engines/engine_pkcs11.so
   MODULE_PATH = /usr/lib/softhsm/libsofthsm.so
   init = 0

   )
   -make self-signed certificate (

   openssl req -engine pkcs11 -new -key id_00 -keyform engine \
           -out req.pem -text -x509 -subj "/CN=NginxZero"

   openssl x509 -engine pkcs11 -signkey slot_0-id_00 \
           -keyform engine -in req.pem -out cert.pem

   )

5) -build nginx with this patch and with-http_ssl_module
   -edit config (

   nginx.conf section main:

   ssl_engine pkcs11;

   nginx.conf section http:

   server {
            listen              *:443;
            server_name         localhost;

            ssl                 on;
            ssl_certificate     /home/nx/cert.pem;
            ssl_certificate_key engine:pkcs11:slot_0-id_00;

            ssl_protocols       SSLv2 SSLv3 TLSv1;
            ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
            ssl_prefer_server_ciphers on;

            charset UTF-8;

            location / {
                root   /home/nx/www;
                index  index.html index.htm;
            }
          }

   )

6) run/test nginx

On 12.08.2014 4:43, Maxim Dounin wrote:

Hello!

On Mon, Aug 11, 2014 at 08:36:12AM +0400, Dmitrii Pichulin wrote:


What is the current statusof this patch?

Let us know if it has any issues.


As far as I see, there are no serious problems left.  There are
various minor style issues though (like incorrect patch subject,
use of "char" instead of "u_char", and so on).  I'm going to
cleanup these as time permits.  Please ping again if it won't
happen in a week or two.

(Meanwhile, you may try to clean things yourself and post an
updated patch.)

BTW, if you have a good example of an engine to test with, this
may be also helpful.



_______________________________________________
nginx-devel mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to