[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Fri Apr 11 11:42:57 CEST 2014
Hello,
I was thinking ways of how a memory leakage in mod_gnutls could have
prevented revealing secrets such as the server's private key, and I
think that this could be "easily" doable if mod_gnutls would support
pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would
support it, then one could use a software security module such as:
http://www.clizio.com/lsmpkcs11.html
and separate the private key operations from the server process. I put
"easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead
project and more modern modules like softhsm [0] don't use any
isolation between the key operations and the calling process.
Nevertheless, I think it would be a good feature to have.
regards,
Nikos
[0]. http://www.opendnssec.org/softhsm/
More information about the mod_gnutls-devel
mailing list