42688 – engine managed keys: per process openssl context

Bug 42688 - engine managed keys: per process openssl context

Summary: engine managed keys: per process openssl context

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2007-06-18 04:53 UTC by Robin Bryce
Modified:	2011-12-19 10:39 UTC (History)
CC List:	2 users (show)

Attachments
engine managed keys: per process openssl context (26.08 KB, patch) 2007-06-18 04:55 UTC, Robin Bryce	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Bryce 2007-06-18 04:53:02 UTC

This patch includes most of the changes provided in the patch for #42687 and
additionally guarantees a unique openssl context per process.

[Disclosure: This patch was produced under contract for nCipher PLC]

The "Applications and processes" rules set out in the pkcs11 standard  [p 17
PKCS #11 v2.2 6.6.1] require that each process holds a distinct context to the
pkcs11 implementation. mod_ssl has partial support for openssl's ENGINE api and
this, in turn, (almost) enables things like opensc's engine_pkcs11[1] to be
used with apache. The problem is mod_ssl shares a single openssl context across
all processes and engine_pkcs11 makes no attempt to deal with the fact that it
is accessed concurrently from different processes. I think it's debatable
whether the "pkc11 multi-process" issue should be explicitly dealt with in
mod_ssl or whether the ENGINE implementation should be expected to cope:
Exactly who is "the application": mod_ssl, the ENGINE plugin, the vendor
specific integration of the two with some hardware/software product ?

I propose that its a "good thing tm" if apache can provide an answer. Ideally
one that integrators can choose to enable or disable depending on what else is
in the software stack. For fully compliant pkcs11 use I think there are two
ways mod_ssl could chose to manage it:

A.) Support a mod of operation where a distinct openssl context is setup for
each process (bad news for pre-fork).

B.) Find some means to reliably re-load (and reconfigure) the engine instance
bound to openssl.

This bug report provides a patch that makes the least changes I could manage in
order to implement A.) and have it work with the worker mpm. It has been tested
a slightly modified version of engine_pkcs11[2] and forms the basis of apache
integration with an HSM enabled product from nCipher PLC[3].

I'll be posting a more general discussion of this patch and the, related, #42687
to a recent HSM/mod_ssl thread on http-dev. "Apache2 mod_ssl with HSM support"
(started on Tue, 29 May 2007)

[1] https://www.opensc-project.org/engine_pkcs11/

[2] Patches I have applied locally to opensc's engine_pkcs11

https://www.opensc-project.org/opensc/ticket/138
https://www.opensc-project.org/opensc/ticket/139


[3] http://www.ncipher.com/key_management/9/keyauthority

Comment 1 Robin Bryce 2007-06-18 04:55:35 UTC

Created attachment 20365 [details]
engine managed keys: per process openssl context

Option A.) as described in OP. Applies unconditionally to ANY SSLCryptoDevice.
No attempt is made to support IP based vhosts.