Hello! On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote:
> (I hope this goes properly out as I had major issues with hg email so > combined hg export + git send-email) > > It is convenient to keep X.509 certificates related to key pairs stored in > openssl engine within the engine. > > Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from > the engine. This extension is not supported by all engines and in those > cases it should report with an error. > > Configuration is similar to what it is for 'ssl_certificate_key'. > > First certificate must match with ssl_certificate_key's key pair rest of > the certificiates are added to the certificate chain. > > Example configuration with libp11's pkcs11 engine: > > ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey > engine:pkcs11:pkcs11:token=mytoken;object=int-ca"; > ssl_certificate_key > "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; > > Tested the loading with two pkcs11 implementations SoftHSMv2 and with > OP-TEE's PKCS11 Trusted Application running on Embedded Linux device. > > First three commits is the main beef and in order to make it more flexible > added also last commit allowing intermediate certificates loaded from file > system. > > Separator of space is used as there was already existing use of array for > ssl_certificate configuration. Just in case, a similar proposal was previously discussed here: https://mailman.nginx.org/pipermail/nginx-devel/2020-April/013130.html https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013142.html Notably, the review is here: https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013152.html I'm additionally sceptical about this given that engine interface is deprecated by OpenSSL. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
