Hello! On Mon, Nov 10, 2014 at 03:54:20PM +0100, Thomas Calderon wrote:
> Hi all, > > Is someone else interested in providing feedback for my patch ? Dmitrii's patch is currently a primary candidate for inclusion. I agree with Piotr - it looks much better as it doesn't introduce additional dependencies and more configuration directives to do the same thing. > Regards, > > Thomas. > > On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon <calderon.tho...@gmail.com> > wrote: > > > Hi Piotr, > > > > I was not aware that some efforts were ongoing to use PKCS#11 devices with > > nginx. > > However, my experience with OpenSSL engine support is that the code is > > dusty, rather limited and relies on external configuration files. > > Dmitrii's approach requires to stack the OpenSSL engine code and OpenSC's > > engine_pkcs11 which ends-up loading the real PKCS#11 middleware. > > OpenSSL tends to perform multiple engine initialization which can confuse > > the PKCS#11 shared library. Using the engine section in openssl.cnf ties > > you up with a system-wide defined middleware. > > > > I would rather advocate for a more direct and self-contained approach. > > > > Regards, > > > > Thomas Calderon. > > > > On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <pi...@cloudflare.com> > > wrote: > > > >> Hi Thomas, > >> > >> > This patch leverages PKCS#11 support in nginx http module using libp11. > >> > This allows the private key to be stored in a dedicated hardware (or > >> > software) component. > >> > >> Dmitrii Pichulin is already working on (IMHO) much better way to > >> handle PKCS#11 via OpenSSL engines: > >> http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html > >> > >> Best regards, > >> Piotr Sikora > >> > >> _______________________________________________ > >> nginx-devel mailing list > >> nginx-devel@nginx.org > >> http://mailman.nginx.org/mailman/listinfo/nginx-devel > >> > > > > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
