On 22 February 2016 at 11:16, Nikos Mavrogiannopoulos <[email protected]> wrote:
> That's an implementation detail. As far as I know engine_pkcs11 does > not require re-authentication after fork. It handles the pkcs11 > peculiarities internally. > AFAIK this works by caching the PIN in engine_pkcs11 internally and is OK for most of the use cases with smartcards. However HSMs usually use more complex authentication schemes where this approach does not work i.e. in order to login there must be N of M physical tokens/cards with passwords presented in a sequence (requires vendor specific extensions when used via PKCS#11). CHIL engine already handles such schemes very well and does not need to reauthenticate after fork. Regards, Jaroslav
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
