httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52473] New: Patch to integrate apache server with OpenSSL generic PKCS#11 engine.
Date Mon, 16 Jan 2012 16:43:13 GMT

             Bug #: 52473
           Summary: Patch to integrate apache server with OpenSSL generic
                    PKCS#11 engine.
           Product: Apache httpd-2
           Version: 2.2.2
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
    Classification: Unclassified

This patch integrates apache with OpenSSL generic PKCS#11 engine. 
After compiling apache with this patch you can connect to apache server with
SSL using HSM that holds the Private RSA and Certificate instead of holding
them in pem files. 

In order to work with this ptach you need to configure the following:
1.Edit OpenSSL.cnf (default place is /etc/ssl/openssl.cnf)

dynamic_path – the path to the generic
MODULE_PATH – the path to the HSM PKCS#11 so

2.Edit the apache ssl.cnf that is usually placed in
when $apache is the directory where apache is installed

SSLCryptoDevice pkcs11
SSLCertificateFile slot_1-id_313323334

SSLCertificateFile has the folowing format slot_num-id_name
when num is the number of the slot and name is the id in hex of the private,
public and certificate objects to be used. In the above example
slot_1-id_31323334 means that the ssl needs to work with slot number one and
with Certificate and Private key with ID 1234, (0x31323334).

The changes we made in the mod_ssl were taken from a patch that we found in the
apache bugzilla:

We found out that this patch works well with our HSM (ARX PrivateServer - We would like to insert it in to
the open source code.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message