Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

Mon, 04 Dec 2023 06:38:13 -0800 

On 04.12.2023 15:32, Yann Ylavic wrote:
> Hi;
> 
> On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki <ifran...@linux.ibm.com> wrote:
>>
>> On 02.12.2023 11:20, Graham Leggett via dev wrote:
>>> On 27 Nov 2023, at 15:02, Ingo Franzki <ifran...@linux.ibm.com> wrote:
>>>
>>>> The mod_ssl module has support for loading keys and certificates from 
>>>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and 
>>>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 
>>>> (https://github.com/OpenSC/libp11).
>>>>
>>>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new 
>>>> provider concept is used.
>>>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization 
>>>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
>>>> and newer distributions all have OpenSSL 3.x included.
>>>> Currently, engines do still work, bit since they are deprecated, they will 
>>>> at some point in time no longer be working.
>>>>
>>>> With OpenSSL 3.x providers one can implements loading of keys and 
>>>> certificates by implementing a STORE method.
>>>> With this, keys and certificates can be loaded for example from PKCS#11 
>>>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
>>>>
>>>> Please find below some code changes required to support loading the server 
>>>> private key and certificates from a PKCS#11 provider using OpenSSL STORE 
>>>> providers.
>>>
>>> Definite +1 in principle.
> 
> +1, thanks for the patch!
> 
>>
>> Please see the patch file attached.
>> I also fixed to minor bugs that I found during testing.
>>
>> You can also look at the patch here:
>> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
>>
>> If you want, I can even submit a pull request to 
>> https://github.com/apache/httpd.
>> Let me know what you prefer.
> 
> Yes please do this, it's easier to comment on the code and it also
> gets tested by the ci.
See https://github.com/apache/httpd/pull/397
> 
> 
> Regards;
> Yann.

-- 
Ingo Franzki
eMail: ifran...@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Reply via email to