-
Notifications
You must be signed in to change notification settings - Fork 17
nginx
nginx support for PKCS#11 was introduced in version 1.7.9.
sudo apt-get install libengine-pkcs11-openssl
# nginx is searching for a different symbol
# and symlinking is not working, then we copy it
sudo cp /usr/lib/ssl/engines/engine_pkcs11.so /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so
It is necessary to add an engine section in the OpenSSL configuration. The following will affect the global OpenSSL configuration on the platform. A more suitable alternative is to use a dedicated configuration file and to export the OPENSSL_CONF
variable to nginx
.
Edit the OpenSSL configuration /etc/ssl/openssl.cnf :
...
oid_section = new_oids
...
#ADD these definitions in between
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
#This is the engine module path
dynamic_path = /usr/lib/ssl/engines/engine_pkcs11.so
#This is Caml Crush client library
MODULE_PATH = /usr/local/lib/libp11client.so
init = 0
...
[ new_oids ]
The following is a basic configuration for nginx, adapt it to your need. Edit the nginx configuration /usr/local/nginx/conf :
#Add engine in the main section
ssl_engine pkcs11;
#Without those two options, issues
master_process off;
daemon off;
...
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.pem;
# Syntax using label engine:pkcs11:slot_<X>-label_<your_label>;
# Syntax using ID engine:pkcs11:slot_<X>-id_<your_ID>;
ssl_certificate_key engine:pkcs11:slot_0-label_web_server;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
Please note that the current configuration requires nginx master_process
and daemon
features to be off
. Hence, it might not be usable in production yet.
Please note that the current support in nginx does not allow to use ECDSA keys stored in a PKCS#11 token.