Re: [sr-dev] [kamailio/kamailio] tls: add support for OpenSSL engine and private keys in HSM (#1484)

aalba6675 Mon, 19 Mar 2018 20:17:46 -0700

You will notice that the PR moves HSM private keys loading to child (after 
fork()). Some further explanation is in order:


Engines like AWS CloudHSM(SafeNet "gem" and "LunaCA3" engines) are wrappers 
around their PKCS 11 implementations. Some of these libraries do not behave 
predictably after fork(). For example, if the token is initialized in master, 
then some HSM keys loaded, the handles can become invalid in a fork()'ed child 
or you will get weird runtime errors.

GNUTLS describes this problem: 
https://www.gnutls.org/manual/gnutls.html#PKCS11-Initialization

Using opensc or SoftHSM2  is usually not a problem as they handle fork() 
properly.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-374459519

_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

Re: [sr-dev] [kamailio/kamailio] tls: add support for OpenSSL engine and private keys in HSM (#1484)

Reply via email to