Forums » Development »
Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS?
Added by Anonymous almost 5 years ago
I have a Hardware Security Module (HSM) on my board that stores private keys and comes with a custom engine that could be used with OpenSSL.
Can I use the custom engine for SSL/TLS with Lighttpd where the private key is stored in the HSM instead of the text file?
This is on a linux platform.
Replies (3)
RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by gstrauss almost 5 years ago
"I have hardware" is painfully vague. Please check the documentation of your vague hardware for configuration instructions.
lighttpd mod_openssl provides the directive ssl.openssl.ssl-conf-cmd
which you might be able to use. You might also look into configuring openssl.cnf.
RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by Anonymous almost 5 years ago
Sorry for the delayed response and thanks for replying!
So I added a patch to lighttpd that adds a function in network.c to read private key from the HSM. Everything works but I see the following error in the log file even when I am using the key from the text file and not from HSM.
2019-05-25 03:16:57: (../../lighttpd-1.4.39/src/connections.c.1557) SSL: 1 -1 error:140E0197:lib(20):func(224):reason(407)
So the error only occurred when the patch was used so I removed my patch and kept just one line to check if it was some linking error.
--- lighttpd-1.4.39/src/base.h
+++ lighttpd-1.4.39-foo/src/base.h
@@ -33,6 +33,7 @@
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
# define USE_OPENSSL
# include <openssl/ssl.h>
+# include <openssl/engine.h>
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
# define OPENSSL_NO_TLSEXT
# endif
So when I include openssl/engine.h in base.h, I can still see the error. But the moment I remove that the error stops occurring.
Is this something that is related to linking engine.h?
Thanks!
RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by gstrauss almost 5 years ago
(../../lighttpd-1.4.39/src/connections.c.1557)
lighttpd 1.4.39 was released almost 3 1/2 years ago and over 1200 commits ago.
The latest lighttpd was just released yesterday, lighttpd 1.4.54, which is 15 full releases after lighttpd 1.4.39.
I am at a loss for words -- no, I'm not, but I am biting my tongue -- that you would post to development forum with such an obvious oversight.
[Edit] I guess I have to ask: how ancient a version of openssl are you attempting to use? If it is not the latest stable openssl release (and not a maintenance branch), please try again.