On Fri, Apr 13, 2012, Sunjeet Singh wrote: > Hi, > > Stupid question- > > If I use a HSM to store private key used for SSL connections using the > CryptoAPI engine for OpenSSL, is all data to be encrypted/decrypted going > through my HSM? I'm- > > 1. Registering my HSM as a Cryptographic Service Provider, and > 2. Setting my application code to initialize structural and functional > references to the CAPI engine and bringing up a connection using the private > key stored in the HSM. > > Rest of the code just uses OpenSSL functions like SSL_write() and SSL_read(). > > Since the key resides on the HSM, is data going to my HSM to get > encrypted/decrypted, or is there a session key being made on the HSM for each > SSL session that is being passed to the OS and is the OS > encrypting/decrypting data in memory? > >
The CryptoAPI ENGINE only handles private key operations so your HSM is only used to either decrypt the premaster secret (RSA key exchange ciphersuites) or used to sign a DH or ECDH public key (ephemeral ciphersuites). The rest is handled in software using OpenSSLs cryptographic algorithm implementations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org