On 27 Nov 2023, at 15:02, Ingo Franzki <ifran...@linux.ibm.com> wrote:
> The mod_ssl module has support for loading keys and certificates from OpenSSL > engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, > e.g. using the PKCS#11 engine part of libp11 > (https://github.com/OpenSC/libp11). > > This works fine, but with OpenSSL 3.0 engines got deprecated, and a new > provider concept is used. > OpenSSL 1.1.1 is no longer supported by the OpenSSL organization > (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), > and newer distributions all have OpenSSL 3.x included. > Currently, engines do still work, bit since they are deprecated, they will at > some point in time no longer be working. > > With OpenSSL 3.x providers one can implements loading of keys and > certificates by implementing a STORE method. > With this, keys and certificates can be loaded for example from PKCS#11 > modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. > > Please find below some code changes required to support loading the server > private key and certificates from a PKCS#11 provider using OpenSSL STORE > providers. Definite +1 in principle. > Index: docs/manual/mod/mod_ssl.html.en.utf8 > =================================================================== > --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150) > +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy) > @@ -666,7 +666,7 @@ Would it be possible to patch mod_ssl.xml instead of the html file, the html is autogenerated. > Index: modules/ssl/ssl_engine_config.c > =================================================================== > --- modules/ssl/ssl_engine_config.c (revision 1914150) > +++ modules/ssl/ssl_engine_config.c (working copy) > @@ -689,6 +689,11 @@ > if (strcEQ(arg, "builtin")) { > mc->szCryptoDevice = NULL; > } > +#if MODSSL_USE_OPENSSL_STORE > + else if (strcEQ(arg, "provider")) { > + mc->szCryptoDevice = arg; > + } > +#endif > #if MODSSL_HAVE_ENGINE_API This patch isn’t applying for me, looks like the leading spaces have been lost. Would it be possible to try attach it as a file? Regards, Graham —
