https://issues.apache.org/bugzilla/show_bug.cgi?id=57510
--- Comment #5 from Kaspar Brand <[email protected]> --- (In reply to Pichulin Dmitrii from comment #3) > at this point of time > Apache httpd can not load private keys from tokens at all. > > This functionality is becoming more and more crucial over time. This is debatable. Looking at how few reactions there were to bug 42687 (and an accompanying thread on httpd-dev which ended here [1]), I remain sceptical about the urgency of such a feature. Generally speaking, I would mostly be in favor of having decent PKCS#11 support in mod_ssl, as I consider this a much less idiosyncratic way of supporting hardware-based keys than using custom per-token OpenSSL engines (I'm aware of engine_pkcs11, which at least provides indirect PKCS#11 support for OpenSSL). > Our patch > can simply add this functionality without any consequences. It can be > upgraded later with a better solution if its needed. I beg to differ. It amounts to what is sometimes called creeping featurism - from an httpd maintainer's point of view, adding such an option is not just a question of committing a few additional lines of code. It's about devising / deciding on a sensible solution for supporting token-based keys, documenting this feature, making sure it doesn't break with new httpd or OpenSSL releases etc. > Our vision is that OpenSSL is preconfigured and SSLCertificateKeyFile just > use ENGINE_by_id (and then ENGINE_load_private_key) Repurposing a directive which is clearly referring to "File" by its very name already suggests that this is a fairly hasty way of adding engine-based key support. The public-key part of the story is not addressed either - at least SSLCertificateFile would have to be taken into account, too. > Your vision is that OpenSSL should be configured by Apache httpd, can you > provide information why? Because that's the approach mod_ssl takes for all other OpenSSL configuration things (SSLCipherSuite, SSLProtocol, etc., or the new SSLOpenSSLConfCmd for 1.0.2 and later). How OpenSSL is configured for the use by mod_ssl should be evident from the examination of the (self-contained) httpd configuration, and not depend on a potentially system-wide openssl.cnf file shared with other applications. [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/%[email protected]%3E -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
