httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Apache Devel" <apache.de...@engy.com>
Subject Apache2 mod_ssl with HSM support
Date Wed, 30 May 2007 06:36:39 GMT
Hello,

I'd like to start a discussion about Hardware Security Module (HSM)
support for 
mod_ssl. You may know that OpenSSL supports different HW engines. There
is also 
support for PKCS#11 devices, a standard for communication with crypto
devices -
e.g. HSMs or Smartcards. Some HSM vendors support mod_ssl and their HSM
with a 
modified OpenSSL/mod_ssl version. But support is limited to 1.3.X
versions of Apache as 
far as we know.
There seems to be no standard interface for mod_ssl with HSM 
support for private key protection and operations. We decided to extend
mod_ssl 
for usage with an HSM. We have a first prototype ("prealpha") with
limited 
functionality now.

The limitations:
- Supports only one virtual host
- Supports no keys from files at the moment
- Loads HSM PIN from the OpenSSL.cnf file (No handler implemented at the
moment)
- Certificate comes from file (not really a limitation...)

What it does:
- Private key is no longer in a file, it's in the secure HSM store
- Private key operations are processed on the HSM

The HSM configuration happens in the OpenSSL.cnf file. In httpd_ssl.conf
we introduced two additional parameters.

Path to the OpenSSL config (Module global):
SSLEngineConfig C:/Apache22/conf/openssl.cnf

Reference describing the private key (Per virtual host):
SSLCertificateKeyReference
pkcs11#slot_0-id_65A0A10FFCE5B514CC228640C85373BB92C2DCD4

The reference descriptor has the following format:
<engineName>#<keyIdentifier>

<engineName> refers to the engine defined in openssl.cnf. The
<keyIdentifier> 
part depends on the engine referred before. This two chunks are
separated with 
'#'. In the sample above we address a PKCS#11 device and use the private
key 
with id 65A0A10FFCE5B514CC228640C85373BB92C2DCD4 on slot 0. A sample
file of the 
OpenSSL config is attached at the end of this post.

Is it of interest to add HSM support to mod_ssl for private key
protection in 
further versions of mod_ssl? Is there already an intention to implement
this? If 
it is of interest and there are no plans to implement support, it would
be great to have a 
discussion here how to do that.

Kind regards
Dan


OpenSSL config file:

# PKCS11 engine config##################################################
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Apache22\\bin\\engine_pkcs11.dll"
MODULE_PATH = "C:\\Programme\\Eracom\\ProtectToolkit C
SDK\\bin\\hsm\\cryptoki.dll"
PIN = "11223344"
init = 0

Mime
View raw message