Bug 42688

Summary: engine managed keys: per process openssl context
Product: Apache httpd-2 Reporter: Robin Bryce <rbryce>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: apache_bugzilla, rbryce
Priority: P2 Keywords: PatchAvailable
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: engine managed keys: per process openssl context

Description Robin Bryce 2007-06-18 04:53:02 UTC
This patch includes most of the changes provided in the patch for #42687 and
additionally guarantees a unique openssl context per process.

[Disclosure: This patch was produced under contract for nCipher PLC]

The "Applications and processes" rules set out in the pkcs11 standard  [p 17
PKCS #11 v2.2 6.6.1] require that each process holds a distinct context to the
pkcs11 implementation. mod_ssl has partial support for openssl's ENGINE api and
this, in turn, (almost) enables things like opensc's engine_pkcs11[1] to be
used with apache. The problem is mod_ssl shares a single openssl context across
all processes and engine_pkcs11 makes no attempt to deal with the fact that it
is accessed concurrently from different processes. I think it's debatable
whether the "pkc11 multi-process" issue should be explicitly dealt with in
mod_ssl or whether the ENGINE implementation should be expected to cope:
Exactly who is "the application": mod_ssl, the ENGINE plugin, the vendor
specific integration of the two with some hardware/software product ?

I propose that its a "good thing tm" if apache can provide an answer. Ideally
one that integrators can choose to enable or disable depending on what else is
in the software stack. For fully compliant pkcs11 use I think there are two
ways mod_ssl could chose to manage it:

A.) Support a mod of operation where a distinct openssl context is setup for
each process (bad news for pre-fork).

B.) Find some means to reliably re-load (and reconfigure) the engine instance
bound to openssl.

This bug report provides a patch that makes the least changes I could manage in
order to implement A.) and have it work with the worker mpm. It has been tested
a slightly modified version of engine_pkcs11[2] and forms the basis of apache
integration with an HSM enabled product from nCipher PLC[3].

I'll be posting a more general discussion of this patch and the, related, #42687
to a recent HSM/mod_ssl thread on http-dev. "Apache2 mod_ssl with HSM support"
(started on Tue, 29 May 2007)

[1] https://www.opensc-project.org/engine_pkcs11/

[2] Patches I have applied locally to opensc's engine_pkcs11


[3] http://www.ncipher.com/key_management/9/keyauthority
Comment 1 Robin Bryce 2007-06-18 04:55:35 UTC
Created attachment 20365 [details]
engine managed keys: per process openssl context

Option A.) as described in OP. Applies unconditionally to ANY SSLCryptoDevice.
No attempt is made to support IP based vhosts.