Hello! On Fri, Jun 19, 2015 at 04:39:48PM +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote: > > > > Have you tried > > ssl_certificate_key > > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234"; > > instead? > > I don't see how it's different from the code you propose. > > Hi, > Yes, I've tried it. It would be specified as: > "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin > -value=1234"; > > But doesn't work, because it doesn't initialize the pkcs11 engine. Shouldn't initialization of an engine be added to "engine:..." handling then? (Just a side note: your patch has ENGINE_init() but no ENGINE_finish(). It looks like a leak.) > Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the purpose > of PKCS #11 URLs which is to use the same string to identify the same > keys on all applications. The goal of the "engine:..." syntax is to allow nginx to load keys from arbitrary engines. With this approach you can use PKCS #11 URLs as identifiers for engines which support them - though you have to write a prefix "engine:<name>:" to instruct nginx to load a key from a named engine rather than a file. So I don't think that the current approach "defeats the purpose" somehow - it's just a bit more chatty than it can be assuming nginx knows for sure that the only engine useable for PKCS #11 URLs is pkcs11. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
