[mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?)

Thomas Calderon calderon.thomas at gmail.com
Fri Jun 27 09:23:41 CEST 2014

Hi Nikos,

During our development we used various cryptographic backends such as
SoftHSM or openCryptoKi.
I would recommend SoftHSM as it is much simpler and cleaner code (it has
less features which are not relevant to TLS sessions establishment).
We also used hardware backends (smarcards or HSMs) to test out our code.

As for the slowdown, we have only preliminary results. In the case of
mod_nss it is negligible when compared to local storage of certificates and
This is due to the fact that the crypto is done purely in software so it
competes quite well.
However, these results were obtained with our PKCS#11 filtering proxy on
the same machine as the web server. Obviously if you further isolate the
web server and Caml Crush on different computers, it should increase
response time.

We plan to release more performance results in the near future.
There are significant shortcomings to the upstream mod_nss module (such as
not supporting server-side DHE ciphersuites).
Testing other TLS Apache modules is also in our roadmap (for instance
mod_ssl requires patching). This is why it would be great to have

Do not hesitate to provide feedback on Caml Crush.

Kind regards,

Thomas Calderon

On Fri, Jun 27, 2014 at 8:48 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org>

> On Thu, 2014-06-26 at 20:13 +0200, Thomas Calderon wrote:
> > Hi there,
> > I followed your discussion back in April towards supporting PKCS#11 in
> > mod_gnutls.
> > I would like to point out that I co-developed Caml Crush, a  PKCS#11
> > filtering proxy. Our work address the various shortcomings of the
> > PKCS#11 API.
> > However, since it is a client/server approach it can be used as an
> > elegant way to isolate the keying materials from the web server's
> > memory.
> > We have successfully tested this approach using mod_nss (since PKCS#11
> > tokens are natively supported within NSS databases).
> Hello Thomas,
>  Actually that's pretty nice. Have you tried using the opendnssec
> softhsm module as backend? How much was the slowdown due to the usage of
> isolation? I didn't know about caml-crush so I'll certainly test it.
> regards,
> Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140627/62138ac5/attachment.html>

More information about the mod_gnutls-devel mailing list