On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote: > > The current support relies on engine_pkcs11, which is a 3rd party > module (not in openssl distribution). It should be future-proof to > have > a way to load PKCS #11 modules which is independent of the backend > used > by nginx. So you could change the internal backend (for example to > use > libp11 directly), without requiring all nginx users to change their > configuration files and remove the "engine:pkcs11:" part from their > keys.
To add to this, it seems that the current PKCS #11 support in nginx is broken. It will only work with softhsm which is a simplistic soft module. Hardware HSMs, and more advanced soft HSMs like caml-crush require strict PKCS #11 adherence which neither engine_pkcs11 or nginx have. That is, they require the reinitialization of any open PKCS #11 modules and object handles after a fork. I think, the simplest way is to solve that within engine_pkcs11 with an atfork handler and reinitialization on re-use... but that would be quite messy. For more info see: https://bugzilla.redhat.com/show_bug.cgi?id=1235284 https://github.com/ANSSI-FR/caml-crush/issues/15 regards, Nikos _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
