Project

General

Profile

Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS?

Added by Anonymous about 1 year ago

I have a Hardware Security Module (HSM) on my board that stores private keys and comes with a custom engine that could be used with OpenSSL.

Can I use the custom engine for SSL/TLS with Lighttpd where the private key is stored in the HSM instead of the text file?

This is on a linux platform.


Replies (3)

RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by gstrauss about 1 year ago

"I have hardware" is painfully vague. Please check the documentation of your vague hardware for configuration instructions.

lighttpd mod_openssl provides the directive ssl.openssl.ssl-conf-cmd which you might be able to use. You might also look into configuring openssl.cnf.

RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by Anonymous about 1 year ago

Sorry for the delayed response and thanks for replying!

So I added a patch to lighttpd that adds a function in network.c to read private key from the HSM. Everything works but I see the following error in the log file even when I am using the key from the text file and not from HSM.

2019-05-25 03:16:57: (../../lighttpd-1.4.39/src/connections.c.1557) SSL: 1 -1 error:140E0197:lib(20):func(224):reason(407)

So the error only occurred when the patch was used so I removed my patch and kept just one line to check if it was some linking error.

--- lighttpd-1.4.39/src/base.h    
+++ lighttpd-1.4.39-foo/src/base.h    
@@ -33,6 +33,7 @@
 #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
 # define USE_OPENSSL
 # include <openssl/ssl.h>
+# include <openssl/engine.h>
 # if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
 #  define OPENSSL_NO_TLSEXT
 # endif

So when I include openssl/engine.h in base.h, I can still see the error. But the moment I remove that the error stops occurring.
Is this something that is related to linking engine.h?

Thanks!

RE: Is there a way to use a custom engine that interfaces with a hardware module to use the keys stored in it for SSL/TLS? - Added by gstrauss about 1 year ago

(../../lighttpd-1.4.39/src/connections.c.1557)

lighttpd 1.4.39 was released almost 3 1/2 years ago and over 1200 commits ago.

The latest lighttpd was just released yesterday, lighttpd 1.4.54, which is 15 full releases after lighttpd 1.4.39.

I am at a loss for words -- no, I'm not, but I am biting my tongue -- that you would post to development forum with such an obvious oversight.

[Edit] I guess I have to ask: how ancient a version of openssl are you attempting to use? If it is not the latest stable openssl release (and not a maintenance branch), please try again.

    (1-3/3)