[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Fri Apr 11 11:42:57 CEST 2014

 I was thinking ways of how a memory leakage in mod_gnutls could have
prevented revealing secrets such as the server's private key, and I
think that this could be "easily" doable if mod_gnutls would support
pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would
support it, then one could use a software security module such as:
and separate the private key operations from the server process. I put
"easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead
project and more modern modules like softhsm [0] don't use any
isolation between the key operations and the calling process.

Nevertheless, I think it would be a good feature to have.


[0]. http://www.opendnssec.org/softhsm/

More information about the mod_gnutls-devel mailing list