You will notice that the PR moves HSM private keys loading to child (after
fork()). Some further explanation is in order:
Engines like AWS CloudHSM(SafeNet "gem" and "LunaCA3" engines) are wrappers
around their PKCS 11 implementations. Some of these libraries do not behave
predictably after fork(). For example, if the token is initialized in master,
then some HSM keys loaded, the handles can become invalid in a fork()'ed child
or you will get weird runtime errors.
GNUTLS describes this problem:
https://www.gnutls.org/manual/gnutls.html#PKCS11-Initialization
Using opensc or SoftHSM2 is usually not a problem as they handle fork()
properly.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-374459519
_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev