This patch includes most of the changes provided in the patch for #42687 and additionally guarantees a unique openssl context per process. [Disclosure: This patch was produced under contract for nCipher PLC] The "Applications and processes" rules set out in the pkcs11 standard [p 17 PKCS #11 v2.2 6.6.1] require that each process holds a distinct context to the pkcs11 implementation. mod_ssl has partial support for openssl's ENGINE api and this, in turn, (almost) enables things like opensc's engine_pkcs11[1] to be used with apache. The problem is mod_ssl shares a single openssl context across all processes and engine_pkcs11 makes no attempt to deal with the fact that it is accessed concurrently from different processes. I think it's debatable whether the "pkc11 multi-process" issue should be explicitly dealt with in mod_ssl or whether the ENGINE implementation should be expected to cope: Exactly who is "the application": mod_ssl, the ENGINE plugin, the vendor specific integration of the two with some hardware/software product ? I propose that its a "good thing tm" if apache can provide an answer. Ideally one that integrators can choose to enable or disable depending on what else is in the software stack. For fully compliant pkcs11 use I think there are two ways mod_ssl could chose to manage it: A.) Support a mod of operation where a distinct openssl context is setup for each process (bad news for pre-fork). B.) Find some means to reliably re-load (and reconfigure) the engine instance bound to openssl. This bug report provides a patch that makes the least changes I could manage in order to implement A.) and have it work with the worker mpm. It has been tested a slightly modified version of engine_pkcs11[2] and forms the basis of apache integration with an HSM enabled product from nCipher PLC[3]. I'll be posting a more general discussion of this patch and the, related, #42687 to a recent HSM/mod_ssl thread on http-dev. "Apache2 mod_ssl with HSM support" (started on Tue, 29 May 2007) [1] https://www.opensc-project.org/engine_pkcs11/ [2] Patches I have applied locally to opensc's engine_pkcs11 https://www.opensc-project.org/opensc/ticket/138 https://www.opensc-project.org/opensc/ticket/139 [3] http://www.ncipher.com/key_management/9/keyauthority
Created attachment 20365 [details] engine managed keys: per process openssl context Option A.) as described in OP. Applies unconditionally to ANY SSLCryptoDevice. No attempt is made to support IP based vhosts.