[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Apr 11 16:17:29 CEST 2014

On 04/11/2014 05:42 AM, Nikos Mavrogiannopoulos wrote:

>  I was thinking ways of how a memory leakage in mod_gnutls could have
> prevented revealing secrets such as the server's private key, and I
> think that this could be "easily" doable if mod_gnutls would support
> pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would
> support it, then one could use a software security module such as:
> http://www.clizio.com/lsmpkcs11.html
> and separate the private key operations from the server process. I put
> "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead
> project and more modern modules like softhsm [0] don't use any
> isolation between the key operations and the calling process.
> Nevertheless, I think it would be a good feature to have.

yes, i agree!  I actually nudged the mod_ssl folks about this sort of
thing (though not in pkcs11 exactly) recently.

I've recorded this feature suggestion here:


I'd be happy to see patches or even a proposed API for it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140411/97d51a8b/attachment.sig>

More information about the mod_gnutls-devel mailing list