Hi, was there any follow up to
http://permalink.gmane.org/gmane.comp.web.haproxy/23039
?
RFC: add support for OpenSSL Engine e.g. PKCS11 HSM
Summary:
Main change is config keywords for engine support, and per proc private key loading.
Reason: PKCS#11 libraries are not required to be fork() safe. E.g. master process
loads private key in SSL context, fork() to worker -> all handles to private key objects
may be invalid: this depends on the PKCS11 library in question.
Counter-arguments from other project: nginx developers are not agreeable to this sort of change;
they expect the engine to handle fork(). However this does not seem to be realistic in the real world.
https://forum.nginx.org/read.php?29,260557,260561#msg-260561
E.g. openssl engine provided by HSM vendor which is a wrapper around vendor PKCS11 library, vendor library i s not fork() safe.
Design: keywords on bind:
- engine (enable OpenSSL engine)
- engine_conf (OpenSSL CONF file)
- engine_key_label (label of PKCS11 private key in HSM)
Example: bind … engine engine_conf /etc/haproxy/openssl.cnf engine_key_label myprivatekey
in ssl_sock.c: don’t load private key into SSL_CTX if we are using engine
ssl_sock.c:ssl_sock_load_cert_file()
if (using_engine) // skip private key SSL_CTX_use_PrivateKey_file and SSL_CTX_check_private_key
because we want to load this stuff in the child process.
ssl_sock.c:ssl_sock_init()
pseudocode:
in the bind_conf structure we keep a new flag if engine is initialized and private key is load
ssl_sock_init():
if (using_engine && private_key not initialized) { load private key from engine }
Comments?
I have a working patch if anyone is interested; but I would like to get your inputs first.