HAProxy community

PKCS#11 Revisited: OpenSSL Engine RFC


Hi, was there any follow up to



RFC: add support for OpenSSL Engine e.g. PKCS11 HSM

Main change is config keywords for engine support, and per proc private key loading.
Reason: PKCS#11 libraries are not required to be fork() safe. E.g. master process
loads private key in SSL context, fork() to worker -> all handles to private key objects
may be invalid: this depends on the PKCS11 library in question.

Counter-arguments from other project: nginx developers are not agreeable to this sort of change;
they expect the engine to handle fork(). However this does not seem to be realistic in the real world.


E.g. openssl engine provided by HSM vendor which is a wrapper around vendor PKCS11 library, vendor library i s not fork() safe.

Design: keywords on bind:

  • engine (enable OpenSSL engine)
  • engine_conf (OpenSSL CONF file)
  • engine_key_label (label of PKCS11 private key in HSM)
    Example: bind … engine engine_conf /etc/haproxy/openssl.cnf engine_key_label myprivatekey

in ssl_sock.c: don’t load private key into SSL_CTX if we are using engine


if (using_engine) // skip private key SSL_CTX_use_PrivateKey_file and SSL_CTX_check_private_key
because we want to load this stuff in the child process.


in the bind_conf structure we keep a new flag if engine is initialized and private key is load

if (using_engine && private_key not initialized) { load private key from engine }


I have a working patch if anyone is interested; but I would like to get your inputs first.


Please use the mailing list for those kind of discussions.


Hi, I tried this patch, but it does not work for me. It reads private key from HSM, but something is wrong.

openssl s_client … : no peer certificate available

Can you send your working patch please?