Re: mod_ssl and pkcs11
Maybe it's time to remove all redundant code in mod_ssl and use all features of OpenSSL; PKCS#11 will then be automatically supported and the maintenance of mod_ssl will be simplified a lot. On 26-11-2013 18:55, Kaspar Brand wrote: On 26.11.2013 16:44, Graham Leggett wrote: Hi all, I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done. The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473 Anyone know if there is anything newer out there? I don't know, but perhaps https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is a better starting point than PR 52473 (which is based on PR 42687, from looking at its description). Kaspar
Re: mod_ssl and pkcs11
On 27/11/2013 12:26, Nick Gearls wrote: Maybe it's time to remove all redundant code in mod_ssl and use all features of OpenSSL; PKCS#11 will then be automatically supported and the maintenance of mod_ssl will be simplified a lot. PKCS#11 support isn't native in OpenSSL though some third party ENGINEs do include partial support. Completely transparent support is tricky (and in some cases impossible) due several factors including the way PKCS#11 handles fork(). Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: mod_ssl and pkcs11
On 27.11.2013 15:33, Dr Stephen Henson wrote: On 27/11/2013 12:26, Nick Gearls wrote: Maybe it's time to remove all redundant code in mod_ssl and use all features of OpenSSL; PKCS#11 will then be automatically supported and the maintenance of mod_ssl will be simplified a lot. PKCS#11 support isn't native in OpenSSL though some third party ENGINEs do include partial support. Completely transparent support is tricky (and in some cases impossible) due several factors including the way PKCS#11 handles fork(). Right, that's also the major topic which https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is elaborating on. According to https://wiki.oasis-open.org/pkcs11/ShortTermItems, some fixes for https://wiki.oasis-open.org/pkcs11/MultipleCallersPerProcess might make it into PKCS#11 v2.40. Engine PKCS#11 (https://github.com/OpenSC/engine_pkcs11) hasn't seen much activity since 2010, are you aware of alternatives? Kaspar
mod_ssl and pkcs11
Hi all, I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done. The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473 Anyone know if there is anything newer out there? Regards, Graham --
Re: mod_ssl and pkcs11
On 26.11.2013 16:44, Graham Leggett wrote: Hi all, I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done. The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473 Anyone know if there is anything newer out there? I don't know, but perhaps https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is a better starting point than PR 52473 (which is based on PR 42687, from looking at its description). Kaspar