Hi Maxim,
On Mon, Nov 10, 2014 at 4:11 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Mon, Nov 10, 2014 at 03:54:20PM +0100, Thomas Calderon wrote: > > > Hi all, > > > > Is someone else interested in providing feedback for my patch ? > > Dmitrii's patch is currently a primary candidate for inclusion. I > agree with Piotr - it looks much better as it doesn't introduce > additional dependencies and more configuration directives to do > the same thing. > Well a user will need to use OpenSC's engine_pkcs11 in order to use its own PKCS#11 library. Although, this is an external dependency, without it, Dmitrii's patch is pretty much useless. As for the addition of configuration directives, a user will need to use the global openssl.cnf in order to have a meaningful PKCS#11 configuration, with the various shortcomings I mentioned in my previous post. I understand that nginx team desires to minimize the various changes that are introduced in the code base. IMHO, adding support for PKCS#11 devices should not be overlook or simplified, it should be a first class feature and have its mainstream support, hence its configuration directives. Are you sure that Dmitrii's patch will allow to use dedicated key-pairs for each site declaration. Regards, Thomas. > > > Regards, > > > > Thomas. > > > > On Mon, Nov 3, 2014 at 11:30 PM, Thomas Calderon < > calderon.tho...@gmail.com> > > wrote: > > > > > Hi Piotr, > > > > > > I was not aware that some efforts were ongoing to use PKCS#11 devices > with > > > nginx. > > > However, my experience with OpenSSL engine support is that the code is > > > dusty, rather limited and relies on external configuration files. > > > Dmitrii's approach requires to stack the OpenSSL engine code and > OpenSC's > > > engine_pkcs11 which ends-up loading the real PKCS#11 middleware. > > > OpenSSL tends to perform multiple engine initialization which can > confuse > > > the PKCS#11 shared library. Using the engine section in openssl.cnf > ties > > > you up with a system-wide defined middleware. > > > > > > I would rather advocate for a more direct and self-contained approach. > > > > > > Regards, > > > > > > Thomas Calderon. > > > > > > On Mon, Nov 3, 2014 at 10:50 PM, Piotr Sikora <pi...@cloudflare.com> > > > wrote: > > > > > >> Hi Thomas, > > >> > > >> > This patch leverages PKCS#11 support in nginx http module using > libp11. > > >> > This allows the private key to be stored in a dedicated hardware (or > > >> > software) component. > > >> > > >> Dmitrii Pichulin is already working on (IMHO) much better way to > > >> handle PKCS#11 via OpenSSL engines: > > >> > http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html > > >> > > >> Best regards, > > >> Piotr Sikora > > >> > > >> _______________________________________________ > > >> nginx-devel mailing list > > >> nginx-devel@nginx.org > > >> http://mailman.nginx.org/mailman/listinfo/nginx-devel > > >> > > > > > > > > > _______________________________________________ > > nginx-devel mailing list > > nginx-devel@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx-devel > > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel