Opened 9 years ago

Closed 7 years ago

#23 closed enhancement (fixed)

enable pkcs11 for server secret key material

Reported by: Daniel Kahn Gillmor Owned by: Daniel Kahn Gillmor
Priority: major Component: code
Version: Keywords: pkcs11


Nikos writes on-list with a good suggestion:

I was thinking ways of how a memory leakage in mod_gnutls could have prevented revealing secrets such as the server's private key, and I think that this could be "easily" doable if mod_gnutls would support pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would support it, then one could use a software security module such as lsm-pkcs11 and separate the private key operations from the server process. I put "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead project and more modern modules like softhsm don't use any isolation between the key operations and the calling process.

Nevertheless, I think it would be a good feature to have.

I also think this would be a useful feature.

Change History (2)

comment:1 Changed 9 years ago by Nikos Mavrogiannopoulos

comment:2 Changed 7 years ago by Thomas Klute

Resolution: fixed
Status: newclosed

Implemented in version 0.7, thanks to Nikos for the patch!

Note: See TracTickets for help on using tickets.