Opened 5 years ago
Closed 3 years ago
#23 closed enhancement (fixed)
enable pkcs11 for server secret key material
| Reported by: | Daniel Kahn Gillmor | Owned by: | Daniel Kahn Gillmor |
|---|---|---|---|
| Priority: | major | Component: | code |
| Version: | Keywords: | pkcs11 | |
| Cc: |
Description
Nikos writes on-list with a good suggestion:
I was thinking ways of how a memory leakage in mod_gnutls could have prevented revealing secrets such as the server's private key, and I think that this could be "easily" doable if mod_gnutls would support pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would support it, then one could use a software security module such as lsm-pkcs11 and separate the private key operations from the server process. I put "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead project and more modern modules like softhsm don't use any isolation between the key operations and the calling process.
Nevertheless, I think it would be a good feature to have.
I also think this would be a useful feature.
Change History (2)
comment:1 Changed 5 years ago by
comment:2 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Implemented in version 0.7, thanks to Nikos for the patch!
There is a patch enabling this feature.
https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a