[mod_gnutls-devel] (no subject)

Thomas Calderon calderon.thomas at gmail.com
Thu Jul 10 17:54:24 CEST 2014 

On Thu, Jul 10, 2014 at 12:54 PM, Nikos Mavrogiannopoulos <
n.mavrogiannopoulos at gmail.com> wrote:

> On Thu, Jul 10, 2014 at 9:09 AM, Thomas Calderon
> <calderon.thomas at gmail.com> wrote:
> > Hello Nikos,
> > I tried your patch for mod_gnutls but I am having issues to have a
> working
> > setup with a PKCS#11 software token.
> > I have investigated a bit: mod_gnutls finds my server certificate and
> > obtains a handle on the
> > private key stored in the PKCS#11 token.
> > However, the TLS stack never uses them and the HTTPS service is not
> > available.
> >
> > The following pattern keeps repeating in my error.log:
> > ...
> > [...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
> > [...] [emerg] GnuTLS: Failed to Re-Import Private Key URL
> > 'pkcs11:objecttype=private;object=web_server': (-300) PKCS #11 error.
> > [...] [emerg] GnuTLS: Failed to reinitialize PKCS #11
> > I think the problem might come from the code that is supposed to handle
> > "fork" detection to re-initialize the PKCS#11 library.
> > The PKCS#11 traces I obtained indicate multiple call in the same process
> to
> > C_Initialize ending with the error code CKR_CRYPTOKI_ALREADY_INITIALIZED.
>
> Hello Thomas,
>  It could be. After a fork() pkcs #11 requires that C_Initialize is
> called again, and I realized that some soft tokens return an error
> code in that case. Maybe we can simply ignore the already initialized
> error code; would ignoring it solve the issue? I'll check to it once
> I'm back (I'm on vacations until the 21st).
>

Hi Nikos,

This was indeed the issue, the software token (softhsm) did not implement
proper checks on fork.
I managed to have a working setup using Caml Crush (our filtering PKCS#11
proxy) which is great.

To go a little bit further, is it possible to fetch multiple certificates
on the token to build the
complete certification path ? In case it is not feasible, a workaround
could consist of using local files and append them to
the server certificate found on the token.

Anyhow thanks for the current patch (tested on Debian 7 with gnutls
backports and the patch applied over mod_gnutls version 0.6).

Enjoy your holidays.

Kind regards,

Thomas Calderon


>
> > Does your patch assume a specific Apache MPM model to work ? I have tried
> > without success both the prefork and threaded Apache model.
> > Could it be that the keying material is only initialized in Apache main
> > process but not available in its child processes ?
>
> I have tried it on the pre-forked server, but with hardware tokens,
> and a modified software token that doesn't return the already
> initialized error.
>
> regards,
> Nikos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140710/0492b842/attachment.html>

More information about the mod_gnutls-devel mailing list