[mod_gnutls-devel] (no subject)

Thomas Calderon calderon.thomas at gmail.com
Thu Jul 10 09:09:44 CEST 2014 

Hello Nikos,

I tried your patch for mod_gnutls but I am having issues to have a working
setup with a PKCS#11 software token.
I have investigated a bit: mod_gnutls finds my server certificate and
obtains a handle on the
private key stored in the PKCS#11 token.
However, the TLS stack never uses them and the HTTPS service is not
available.

The following pattern keeps repeating in my error.log:

...
[...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
[...] [emerg] GnuTLS: Failed to Re-Import Private Key URL
'pkcs11:objecttype=private;object=web_server': (-300) PKCS #11 error.
[...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
...

Here is my Apache configuration ("web_server" being valid "label" of
PKCS#11 object in my token) :
...
        GnuTLSEnable on
        GnuTLSSessionTickets on
        GnuTLSPriorities NORMAL

        GnuTLSPIN <my_pin>
        GnuTLSCertificateFile "pkcs11:objecttype=cert;object=web_server"
        GnuTLSKeyFile "pkcs11:objecttype=private;object=web_server"
...

I think the problem might come from the code that is supposed to handle
"fork" detection to re-initialize the PKCS#11 library.
The PKCS#11 traces I obtained indicate multiple call in the same process to
C_Initialize ending with the error code CKR_CRYPTOKI_ALREADY_INITIALIZED.
Does your patch assume a specific Apache MPM model to work ? I have tried
without success both the prefork and threaded Apache model.
Could it be that the keying material is only initialized in Apache main
process but not available in its child processes ?

Thanks for your feedback.

Kind regards,

Thomas Calderon.




On Fri, Jul 4, 2014 at 3:48 PM, Nikos Mavrogiannopoulos <
n.mavrogiannopoulos at gmail.com> wrote:

> Hello,
>  The attached patch adds PKCS #11/TPM support to mod_gnutls. The
> objects (keys and certificates), can be specified as PKCS #11 URLs
> [0], and you can see those URLs using gnutls' p11tool. Most probably
> some better documentation of these URLs is needed.
>
> This requires gnutls 3.1.3 or later, and as a side-effect this patch
> allows encrypted keys to be loaded by mod_gnutls (PKCS #8/#12 and
> openssl format).
>
> regards,
> Nikos
>
> [0].
> http://www.gnutls.org/manual/html_node/Reading-objects.html#Reading-objects
>
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140710/5a7be0af/attachment.html>

More information about the mod_gnutls-devel mailing list