[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Apr 11 16:17:29 CEST 2014
On 04/11/2014 05:42 AM, Nikos Mavrogiannopoulos wrote:
> I was thinking ways of how a memory leakage in mod_gnutls could have
> prevented revealing secrets such as the server's private key, and I
> think that this could be "easily" doable if mod_gnutls would support
> pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would
> support it, then one could use a software security module such as:
> and separate the private key operations from the server process. I put
> "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead
> project and more modern modules like softhsm  don't use any
> isolation between the key operations and the calling process.
> Nevertheless, I think it would be a good feature to have.
yes, i agree! I actually nudged the mod_ssl folks about this sort of
thing (though not in pkcs11 exactly) recently.
I've recorded this feature suggestion here:
I'd be happy to see patches or even a proposed API for it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1010 bytes
Desc: OpenPGP digital signature
More information about the mod_gnutls-devel