httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57510] Engine keyform support for private keys
Date Sun, 08 Feb 2015 06:34:57 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57510

--- Comment #5 from Kaspar Brand <asfbugz@velox.ch> ---
(In reply to Pichulin Dmitrii from comment #3)
> at this point of time
> Apache httpd can not load private keys from tokens at all.
> 
> This functionality is becoming more and more crucial over time.

This is debatable. Looking at how few reactions there were to bug 42687 (and an
accompanying thread on httpd-dev which ended here [1]), I remain sceptical
about the urgency of such a feature. Generally speaking, I would mostly be in
favor of having decent PKCS#11 support in mod_ssl, as I consider this a much
less idiosyncratic way of supporting hardware-based keys than using custom
per-token OpenSSL engines (I'm aware of engine_pkcs11, which at least provides
indirect PKCS#11 support for OpenSSL).

> Our patch
> can simply add this functionality without any consequences. It can be
> upgraded later with a better solution if its needed.

I beg to differ. It amounts to what is sometimes called creeping featurism -
from an httpd maintainer's point of view, adding such an option is not just a
question of committing a few additional lines of code. It's about devising /
deciding on a sensible solution for supporting token-based keys, documenting
this feature, making sure it doesn't break with new httpd or OpenSSL releases
etc.

> Our vision is that OpenSSL is preconfigured and SSLCertificateKeyFile just
> use ENGINE_by_id (and then ENGINE_load_private_key)

Repurposing a directive which is clearly referring to "File" by its very name
already suggests that this is a fairly hasty way of adding engine-based key
support. The public-key part of the story is not addressed either - at least
SSLCertificateFile would have to be taken into account, too.

> Your vision is that OpenSSL should be configured by Apache httpd, can you
> provide information why?

Because that's the approach mod_ssl takes for all other OpenSSL configuration
things (SSLCipherSuite, SSLProtocol, etc., or the new SSLOpenSSLConfCmd for
1.0.2 and later). How OpenSSL is configured for the use by mod_ssl should be
evident from the examination of the (self-contained) httpd configuration, and
not depend on a potentially system-wide openssl.cnf file shared with other
applications.

[1]
https://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/%3C46768DFB.3090708@ncipher.com%3E

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message