You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2013/11/26 16:44:20 UTC
mod_ssl and pkcs11
Hi all,
I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done.
The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473
Anyone know if there is anything newer out there?
Regards,
Graham
--
Re: mod_ssl and pkcs11
Posted by Kaspar Brand <ht...@velox.ch>.
On 27.11.2013 15:33, Dr Stephen Henson wrote:
> On 27/11/2013 12:26, Nick Gearls wrote:
>> Maybe it's time to remove all redundant code in mod_ssl and use all features of
>> OpenSSL; PKCS#11 will then be automatically supported and the maintenance of
>> mod_ssl will be simplified a lot.
>>
>
> PKCS#11 support isn't native in OpenSSL though some third party ENGINEs do
> include partial support.
>
> Completely transparent support is tricky (and in some cases impossible) due
> several factors including the way PKCS#11 handles fork().
Right, that's also the major topic which
https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is elaborating on.
According to https://wiki.oasis-open.org/pkcs11/ShortTermItems, some
fixes for https://wiki.oasis-open.org/pkcs11/MultipleCallersPerProcess
might make it into PKCS#11 v2.40.
Engine PKCS#11 (https://github.com/OpenSC/engine_pkcs11) hasn't seen
much activity since 2010, are you aware of alternatives?
Kaspar
Re: mod_ssl and pkcs11
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 27/11/2013 12:26, Nick Gearls wrote:
> Maybe it's time to remove all redundant code in mod_ssl and use all features of
> OpenSSL; PKCS#11 will then be automatically supported and the maintenance of
> mod_ssl will be simplified a lot.
>
PKCS#11 support isn't native in OpenSSL though some third party ENGINEs do
include partial support.
Completely transparent support is tricky (and in some cases impossible) due
several factors including the way PKCS#11 handles fork().
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: mod_ssl and pkcs11
Posted by Nick Gearls <ni...@gmail.com>.
Maybe it's time to remove all redundant code in mod_ssl and use all
features of OpenSSL; PKCS#11 will then be automatically supported and
the maintenance of mod_ssl will be simplified a lot.
On 26-11-2013 18:55, Kaspar Brand wrote:
> On 26.11.2013 16:44, Graham Leggett wrote:
>> Hi all,
>>
>> I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done.
>>
>> The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473
>>
>> Anyone know if there is anything newer out there?
> I don't know, but perhaps
> https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is a better
> starting point than PR 52473 (which is based on PR 42687, from looking
> at its description).
>
> Kaspar
>
Re: mod_ssl and pkcs11
Posted by Kaspar Brand <ht...@velox.ch>.
On 26.11.2013 16:44, Graham Leggett wrote:
> Hi all,
>
> I am trying to use a pkcs11 engine within mod_ssl, and am digging as to how this might be done.
>
> The closest I've found is this patch https://issues.apache.org/bugzilla/show_bug.cgi?id=52473
>
> Anyone know if there is anything newer out there?
I don't know, but perhaps
https://issues.apache.org/bugzilla/show_bug.cgi?id=42688 is a better
starting point than PR 52473 (which is based on PR 42687, from looking
at its description).
Kaspar