[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support
thomas2.klute at uni-dortmund.de
Tue Apr 21 23:34:55 CEST 2015
I finally got around to merging Nikos Mavrogiannopoulos' patch  to
use the newer GnuTLS key handling API with my TLS proxy support. You can
find the result in the master branch of my Github repository:
I had merged Nikos' patch with my bugfixes and test suite improvements a
while ago (see ), but then didn't have time to merge with the TLS
proxy support as well. Some notes on the current status (at commit
a) There were a few problems with OpenPGP key handling in GnuTLS, which
required workarounds. Kudos to Nikos for very fast help with debugging
(you can see our conversation in the comments to )! The bugs should
be fixed in GnuTLS 3.3.12 and newer, so the workarounds use version
guards. However, I haven't actually tested with a version newer than
3.3.8 yet, so it would be great if someone could do that.
b) Using the new key handling API should make it possible to use PKCS
#11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
welcome reports, and it would be even better if anyone could write PKCS
#11 test cases using a simulated HSM (maybe SoftHSM would work?).
c) At the moment, proxy TLS connections support only file based X.509
Sadly, I can't make an upstream release, but I'd like to hear how this
works for you.
More information about the mod_gnutls-devel