-
Notifications
You must be signed in to change notification settings - Fork 18
nginx
nginx support for PKCS#11 was introduced in version 1.7.9.
sudo apt-get install libengine-pkcs11-openssl
# nginx is searching for a different symbol
# and symlinking is not working, then we copy it
sudo cp /usr/lib/ssl/engines/engine_pkcs11.so /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so
It is necessary to add an engine section in the OpenSSL configuration. The following will affect the global OpenSSL configuration on the platform. A more suitable alternative is to use a dedicated configuration file and to export the OPENSSL_CONF variable to nginx.
Edit the OpenSSL configuration /etc/ssl/openssl.cnf :
...
oid_section = new_oids
...
#ADD these definitions in between
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
#This is the engine module path
dynamic_path = /usr/lib/ssl/engines/engine_pkcs11.so
#This is Caml Crush client library
MODULE_PATH = /usr/local/lib/libp11client.so
init = 0
...
[ new_oids ]
The following is a basic configuration for nginx, adapt it to your need. Edit the nginx configuration /usr/local/nginx/conf :
#Add engine in the main section
ssl_engine pkcs11;
#Without those two options, issues
master_process off;
daemon off;
...
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.pem;
# Syntax using label engine:pkcs11:slot_<X>-label_<your_label>;
# Syntax using ID engine:pkcs11:slot_<X>-id_<your_ID>;
ssl_certificate_key engine:pkcs11:slot_0-label_web_server;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
Please note that the current configuration requires nginx master_process and daemon features to be off. Hence, it might not be usable in production yet.
Please note that the current support in nginx does not allow to use ECDSA keys stored in a PKCS#11 token.