PKCS#11 Revisited: OpenSSL Engine RFC


#1

Hi, was there any follow up to

http://permalink.gmane.org/gmane.comp.web.haproxy/23039

?

RFC: add support for OpenSSL Engine e.g. PKCS11 HSM

Summary:
Main change is config keywords for engine support, and per proc private key loading.
Reason: PKCS#11 libraries are not required to be fork() safe. E.g. master process
loads private key in SSL context, fork() to worker -> all handles to private key objects
may be invalid: this depends on the PKCS11 library in question.

Counter-arguments from other project: nginx developers are not agreeable to this sort of change;
they expect the engine to handle fork(). However this does not seem to be realistic in the real world.

https://forum.nginx.org/read.php?29,260557,260561#msg-260561

E.g. openssl engine provided by HSM vendor which is a wrapper around vendor PKCS11 library, vendor library i s not fork() safe.

Design: keywords on bind:

  • engine (enable OpenSSL engine)
  • engine_conf (OpenSSL CONF file)
  • engine_key_label (label of PKCS11 private key in HSM)
    Example: bind … engine engine_conf /etc/haproxy/openssl.cnf engine_key_label myprivatekey

in ssl_sock.c: don’t load private key into SSL_CTX if we are using engine

ssl_sock.c:ssl_sock_load_cert_file()

if (using_engine) // skip private key SSL_CTX_use_PrivateKey_file and SSL_CTX_check_private_key
because we want to load this stuff in the child process.

ssl_sock.c:ssl_sock_init()
pseudocode:

in the bind_conf structure we keep a new flag if engine is initialized and private key is load

ssl_sock_init():
if (using_engine && private_key not initialized) { load private key from engine }

Comments?

I have a working patch if anyone is interested; but I would like to get your inputs first.


#2

Please use the mailing list for those kind of discussions.


#3

Hi, I tried this patch, but it does not work for me. It reads private key from HSM, but something is wrong.

openssl s_client … : no peer certificate available

Can you send your working patch please?