-
Notifications
You must be signed in to change notification settings - Fork 17
lighttpd2
Check the [http://redmine.lighttpd.net/projects/lighttpd2/wiki/Installation](installation instructions) Additionally you'll need the gnutls-bin package (or gnutls-utils), to get p11tool.
When configured with gnutls, lighttpd2 supports PKCS #11 modules transparently if the caml-crush module is registered with p11-kit. To do that you should edit /etc/pkcs11/modules/pkcs11proxyd.module, and add the following line.
module: libp11client.so
Note that, in various systems the location of the p11-kit configuration files vary (other known locations: /usr/share/p11-kit/modules). If this is successfully registered you can query the objects (keys/certificates) in the PKCS #11 module using the following commands.
$ p11tool --list-tokens
$ p11tool --list-all "CAML-CRUSH-TOKEN-URL"
The following configuration directives can be added in the main configuration file to utilize caml-crush.
module_load [
"mod_gnutls",
];
gnutls (
"priority" => "NORMAL:%SERVER_PRECEDENCE",
"listen" => "0.0.0.0:443",
"listen" => "[::]:443",
"pin" => "XXXX",
"pemfile" => (
"key" => "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;type=private",
"cert" => "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;type=cert"
)
)
The PKCS #11 URLs should be replaced with the actual objects you see with the p11tool command.