Opened 4 years ago

Closed 2 years ago

#23 closed enhancement (fixed)

enable pkcs11 for server secret key material

Reported by: https://id.mayfirst.org/dkg Owned by: https://id.mayfirst.org/dkg
Priority: major Component: code
Version: Keywords: pkcs11
Cc:

Description

Nikos writes on-list with a good suggestion:

I was thinking ways of how a memory leakage in mod_gnutls could have prevented revealing secrets such as the server's private key, and I think that this could be "easily" doable if mod_gnutls would support pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would support it, then one could use a software security module such as lsm-pkcs11 and separate the private key operations from the server process. I put "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead project and more modern modules like softhsm don't use any isolation between the key operations and the calling process.

Nevertheless, I think it would be a good feature to have.

I also think this would be a useful feature.

Change History (2)

comment:1 Changed 3 years ago by nikos mavrogiannopoulos

comment:2 Changed 2 years ago by thomas klute

  • Resolution set to fixed
  • Status changed from new to closed

Implemented in version 0.7, thanks to Nikos for the patch!

Note: See TracTickets for help on using tickets.