-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
See #397 #398
Closed
Closed
See #397 #398
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…STORE The mod_ssl module has support for loading keys and certificates from OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 (https://github.com/OpenSC/libp11). This works fine, but with OpenSSL 3.0 engines got deprecated, and a new provider concept is used. OpenSSL 1.1.1 is no longer supported by the OpenSSL organization (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), and newer distributions all have OpenSSL 3.x included. Currently, engines do still work, but since they are deprecated, they will at some point in time no longer be working. With OpenSSL 3.x providers one can implements loading of keys and certificates by implementing a STORE method. With this, keys and certificates can be loaded for example from PKCS#11 modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. This commit contains code changes required to support loading the server private key and certificates from a PKCS#11 provider using OpenSSL STORE providers. The usage is very similar to how it was with engines. You can specify a PKCS#11 URI with SSLCertificateFile and SSLCertificateKeyFile, exactly how it is with engines. The only difference is that you must specify 'SSLCryptoDevice provider' as crypto device, instead of specifying the engine name. That way, the code continues to support working with engines. So SSLCryptoDevice accepts either 'builtin' or an engine name as before, but now also 'provider' to enable the OpenSSL provider STORE API. Instead of choosing this approach, we could just replace the engine support by the provider support, but this might break existing installations that are still using engines. The provider(s) to be used with httpd must be configured via the OpenSSL config file in the provider section. Most providers need additional, provider specific settings that can only be supplied via the OpenSSL config file. If one does not like to configure the providers globally, one can have a separate OpenSSL config file and use environment variable OPENSSL_CONF to specify the config file to use. That way one can have an OpenSSL config file just for httpd. Currently there exist 2 PKCS#11 provider projects: - https://github.com/latchset/pkcs11-provider - https://github.com/opencryptoki/openssl-pkcs11-sign-provider Both do support loading keys via PKCS#11 URI via their STORE support, but the code below is not limited to just those two. Any provider that supports a STORE implementation for URIs with the 'pkcs11' scheme can be used. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
…rs via STORE Remove the SSLCryptoDevice special name 'provider'. In case no engine is specified via SSLCryptoDevice, but a PKCS#11 URI is used it goes the STORE path. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
ifranzki
pushed a commit
to ifranzki/httpd
that referenced
this pull request
Feb 21, 2024
the STORE API. Separates compile-time support for the STORE API (supported in 3.x) from support for the ENGINE API (deprecated in 3.x). * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for OpenSSL 3.0+. * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri, modssl_load_keypair_store): New functions. (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine. (modssl_load_engine_keypair): Reimplement to use new STORE-based functions if SSLCryptoDevice was not configured, or else old ENGINE implementation. * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs also for the OpenSSL 3.x STORE API. * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log message on error paths for the provider/STORE case. Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com> Submitted by: Ingo Franzki <ifranzki linux.ibm.com> Github: closes apache#397, closes apache#398 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914365 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit cc796e2)
notroj
added a commit
to notroj/httpd
that referenced
this pull request
Jun 19, 2024
the STORE API. Separates compile-time support for the STORE API (supported in 3.x) from support for the ENGINE API (deprecated in 3.x). * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for OpenSSL 3.0+. * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri, modssl_load_keypair_store): New functions. (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine. (modssl_load_engine_keypair): Reimplement to use new STORE-based functions if SSLCryptoDevice was not configured, or else old ENGINE implementation. * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs also for the OpenSSL 3.x STORE API. * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log message on error paths for the provider/STORE case. Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com> Submitted by: Ingo Franzki <ifranzki linux.ibm.com> Github: closes apache#397, closes apache#398 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914365 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit cc796e2)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.