This bug report is a patch submission, sponsored by nCipher PLC, that provides the minimal changes necessary to: 1. Break the PEM file habit. 2. Disable ssl_engine_pphrase password entry and (asn.1 based) caching of certificates and keys read from those files. 3. Enable a pkcs11 based openssl ENGINE implementation to be used. The change set introduced by this patch is *not* suitable for production use. It's primary purpose is to stimulate discussion of if/how mod_ssl should be changed to better support HSM managed keys and the pkcs11 standard. This patch applies the above 3 changes if *any* SSLCryptoDevice is present in the apache config. It assumes the same SSLCryptoDevice is used server wide. No attempt is made to support distinct SSLCryptoDevices on a per (IP) based virtual host basis. Support for 3 in this patch is limited: It requires that *either* -DONE_PROCESS is specified to apache on startup OR the pkcs11 implementation breaks the "Applications and processes" rules set out in the pkcs11 standard [p 17 PKCS #11 v2.2 6.6.1]. A subsequent patch will lift the restrictions for the worker mpm. For fuller discussion please see the http-dev thread "Apache2 mod_ssl with HSM support" (started on Tue, 29 May 2007). http://mail-archives.apache.org/mod_mbox/httpd-dev/200705.mbox/ajax/%3cB98CCF34D7B54844B011D9D9D6DDBEAD09B84D@gemtsv10.engy.local%3e"
Created attachment 20364 [details] Minimal support for (openssl) engine managed keys
*** Bug 52473 has been marked as a duplicate of this bug. ***
This is more or less done with the PKCS#11 support in 2.4.42, so probably can close this.