[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jun 27 08:48:18 CEST 2014


On Thu, 2014-06-26 at 20:13 +0200, Thomas Calderon wrote:
> Hi there,

> I followed your discussion back in April towards supporting PKCS#11 in
> mod_gnutls.
> I would like to point out that I co-developed Caml Crush, a  PKCS#11
> filtering proxy. Our work address the various shortcomings of the
> PKCS#11 API.
> However, since it is a client/server approach it can be used as an
> elegant way to isolate the keying materials from the web server's
> memory.
> We have successfully tested this approach using mod_nss (since PKCS#11
> tokens are natively supported within NSS databases).

Hello Thomas,
 Actually that's pretty nice. Have you tried using the opendnssec
softhsm module as backend? How much was the slowdown due to the usage of
isolation? I didn't know about caml-crush so I'll certainly test it.

regards,
Nikos






More information about the mod_gnutls-devel mailing list