[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
From:       Ingo Franzki <ifranzki () linux ! ibm ! com>
Date:       2023-12-04 14:37:19
Message-ID: 7a95088c-0f52-41b5-81f9-b5f02335ea76 () linux ! ibm ! com
[Download RAW message or body]

On 04.12.2023 15:32, Yann Ylavic wrote:
> Hi;
> 
> On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki <ifranzki@linux.ibm.com> wrote:
> > 
> > On 02.12.2023 11:20, Graham Leggett via dev wrote:
> > > On 27 Nov 2023, at 15:02, Ingo Franzki <ifranzki@linux.ibm.com> wrote:
> > > 
> > > > The mod_ssl module has support for loading keys and certificates from OpenSSL \
> > > > engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, \
> > > > e.g. using the PKCS#11 engine part of libp11 \
> > > > (https://github.com/OpenSC/libp11). 
> > > > This works fine, but with OpenSSL 3.0 engines got deprecated, and a new \
> > > > provider concept is used. OpenSSL 1.1.1 is no longer supported by the OpenSSL \
> > > > organization (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), and \
> > > > newer distributions all have OpenSSL 3.x included. Currently, engines do \
> > > > still work, bit since they are deprecated, they will at some point in time no \
> > > > longer be working. 
> > > > With OpenSSL 3.x providers one can implements loading of keys and \
> > > > certificates by implementing a STORE method. With this, keys and certificates \
> > > > can be loaded for example from PKCS#11 modules via PKCS#11 URIs, just like it \
> > > > was possible with an PKCS#11 engine. 
> > > > Please find below some code changes required to support loading the server \
> > > > private key and certificates from a PKCS#11 provider using OpenSSL STORE \
> > > > providers.
> > > 
> > > Definite +1 in principle.
> 
> +1, thanks for the patch!
> 
> > 
> > Please see the patch file attached.
> > I also fixed to minor bugs that I found during testing.
> > 
> > You can also look at the patch here:
> > https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
> > 
> > If you want, I can even submit a pull request to https://github.com/apache/httpd.
> > Let me know what you prefer.
> 
> Yes please do this, it's easier to comment on the code and it also
> gets tested by the ci.
See https://github.com/apache/httpd/pull/397
> 
> 
> Regards;
> Yann.

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB \
243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/


[prev in list] [next in list] [prev in thread] [next in thread]