Hi Goetz, > Francisco Corella wrote: > > I have spent several hours searching the mailing list archive looking for > > hardware key storage solutions compatible with mod_ssl. NCipher provides > > one. Are there any others? I saw several emails mentioning the existence > > of others, but nothing concrete. One email mentioned Broadcom in addition > > to NCipher, but Broadcom sells chips, and I'm looking for a PCI card. I > > have concacted several manufacturers of SSL accelerators but haven't been > > able to get any answers concerning key storage except from NCipher. > > OpenSSL comes with build in support for different > crypto hardware (called ENGINE, in crypto/engine/). > But support for additional crypto engines may be added on run time. > > Please search the OpenSSL web pages.
I think I understand, at least in principle, how to use hardware crypto with mod_ssl. But there are two ways of doing it, depending of where you keep the server key: (a) You may keep the server key in a file specified by the directive SSLCertificateKeyFile, and send the key to the hardware for each operation that requires use of the key. Or, (b) You may keep the server key in the hardware, and tell the hardware what key to use for each operation in some ad-hoc fashion. My understanding is that most hardware crypto uses option (a). I know that nCipher lets you use option (a) or option (b), but using option (b) requires buying the tamperproof card called "nForce", which is very expensive, instead of the vanilla "nFast" card. What I was asking is whether there is other crypto hardware out there that lets you use option (b). I'm hoping to find something less expensive than nForce. Francisco ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
