Bug 42687 - Fully delegate certificate & key semantics to the SSLCryptoDevice
Summary: Fully delegate certificate & key semantics to the SSLCryptoDevice
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
: 52473 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-06-18 03:44 UTC by Robin Bryce
Modified: 2013-11-30 08:28 UTC (History)
4 users (show)



Attachments
Minimal support for (openssl) engine managed keys (17.19 KB, patch)
2007-06-18 03:48 UTC, Robin Bryce
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Bryce 2007-06-18 03:44:56 UTC
This bug report is a patch submission, sponsored by nCipher PLC, that provides
the minimal changes necessary to:

 1. Break the PEM file habit.
 2. Disable ssl_engine_pphrase password entry and (asn.1 based) caching of
certificates and keys read from those files. 
 3. Enable a pkcs11 based openssl ENGINE implementation to be used.

The change set introduced by this patch is *not* suitable for production use.
It's primary purpose is to stimulate discussion of if/how mod_ssl should be
changed to better support HSM managed keys and the pkcs11 standard.

This patch applies the above 3 changes if *any* SSLCryptoDevice is present in
the apache config. It assumes the same SSLCryptoDevice is used server wide. No
attempt is made to support distinct SSLCryptoDevices on a per (IP) based virtual
host basis.

Support for 3 in this patch is limited: It requires that *either* -DONE_PROCESS
is specified to apache on startup OR the pkcs11 implementation breaks the
"Applications and processes" rules set out in the pkcs11 standard [p 17 PKCS #11
v2.2 6.6.1]. A subsequent patch will lift the restrictions for the worker mpm.

For fuller discussion please see the http-dev thread "Apache2 mod_ssl with HSM
support" (started on Tue, 29 May 2007). 
http://mail-archives.apache.org/mod_mbox/httpd-dev/200705.mbox/ajax/%3cB98CCF34D7B54844B011D9D9D6DDBEAD09B84D@gemtsv10.engy.local%3e"
Comment 1 Robin Bryce 2007-06-18 03:48:02 UTC
Created attachment 20364 [details]
Minimal support for (openssl) engine managed keys
Comment 2 Kaspar Brand 2013-11-30 08:28:37 UTC
*** Bug 52473 has been marked as a duplicate of this bug. ***