Well, I got a baby SSL server working in java with the cert and key being 
fetched from the card.

I've noticed a couple things, however, that make this whole project somewhat 
less tenable:

1. If the card has multiple certs on it, you need to go to the trouble of 
making your own custom X509KeyManager that gives you control over which 
cert/key a given SSLServerSocketFactory will use, if that's what you want to do.

2. Perhaps more fatally, it appears that having a PKCS11 keystore is an 
exclusive activity - two processes attempting to access the card don't share 
it, as I had hoped, but rather the second hangs until the first one exits. So 
if I am going to do this for real, it's likely that I'll have to have a single 
"SSL Proxy" process to handle all possible SSL connections and then hand them 
off to the associated unencrypted ports. Sort of like STunnel.

3. Setting up STunnel to use the openssl engine support fails utterly. And two 
stunnel binaries with the same version behave differently. Binary "A" works up 
to the point of listening for connections, but any connection fails with 

18922:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record 
mac:/SourceCache/OpenSSL098/OpenSSL098-30/src/ssl/s3_pkt.c:1061:SSL alert 
number 20
18922:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:/SourceCache/OpenSSL098/OpenSSL098-30/src/ssl/s23_lib.c:188:

and on the server

2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): before/accept 
initialization
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 read 
client hello A
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 write 
server hello A
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 write 
certificate A
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 write 
server done A
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 flush data
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL state (accept): SSLv3 read 
client key exchange A
2010.02.24 15:35:40 LOG7[65549:675857408]: SSL alert (write): fatal: bad record 
mac
2010.02.24 15:35:40 LOG3[65549:675857408]: SSL_accept: 1408F119: 
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
2010.02.24 15:35:40 LOG5[65549:675857408]: Connection reset: 0 bytes sent to 
SSL, 0 bytes sent to socket

With binary "B", any attempt to load the engine_pkcs11.so results in the 
stunnel executable exiting without any diagnostic messages whatsoever, despite 
debug set to 7 and foreground turned on.

Binary "B" came straight from the FreeBSD ports tree. I'm not sure where binary 
"A" came from, except that I likely either built it from the ports tree myself 
some time ago or fetched it from the package repository. Either way, it reports 
the same version as binary B.

4. openssl's s_server works ok, but similarly locks the card up while it's 
running. s_server also doesn't seem to be able to fetch the certificate off the 
card - instead requiring you to put it on a file in the filesystem. No issue 
for security, of course - the cert is given out during the SSL exchange anyway. 
More fatally, s_server doesn't include the intermediate CA cert, which means 
that clients don't trust it. Of course, s_server is just a test anyway.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle

Reply via email to