[mod_gnutls-devel] (no subject)

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Thu Jul 10 12:54:59 CEST 2014

On Thu, Jul 10, 2014 at 9:09 AM, Thomas Calderon
<calderon.thomas at gmail.com> wrote:
> Hello Nikos,
> I tried your patch for mod_gnutls but I am having issues to have a working
> setup with a PKCS#11 software token.
> I have investigated a bit: mod_gnutls finds my server certificate and
> obtains a handle on the
> private key stored in the PKCS#11 token.
> However, the TLS stack never uses them and the HTTPS service is not
> available.
> The following pattern keeps repeating in my error.log:
> ...
> [...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
> [...] [emerg] GnuTLS: Failed to Re-Import Private Key URL
> 'pkcs11:objecttype=private;object=web_server': (-300) PKCS #11 error.
> [...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
> I think the problem might come from the code that is supposed to handle
> "fork" detection to re-initialize the PKCS#11 library.
> The PKCS#11 traces I obtained indicate multiple call in the same process to
> C_Initialize ending with the error code CKR_CRYPTOKI_ALREADY_INITIALIZED.

Hello Thomas,
 It could be. After a fork() pkcs #11 requires that C_Initialize is
called again, and I realized that some soft tokens return an error
code in that case. Maybe we can simply ignore the already initialized
error code; would ignoring it solve the issue? I'll check to it once
I'm back (I'm on vacations until the 21st).

> Does your patch assume a specific Apache MPM model to work ? I have tried
> without success both the prefork and threaded Apache model.
> Could it be that the keying material is only initialized in Apache main
> process but not available in its child processes ?

I have tried it on the pre-forked server, but with hardware tokens,
and a modified software token that doesn't return the already
initialized error.


More information about the mod_gnutls-devel mailing list