[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support

Thomas Klute thomas2.klute at uni-dortmund.de
Tue Apr 21 23:34:55 CEST 2015

Hi everyone!

I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to
use the newer GnuTLS key handling API with my TLS proxy support. You can
find the result in the master branch of my Github repository:


I had merged Nikos' patch with my bugfixes and test suite improvements a
while ago (see [2]), but then didn't have time to merge with the TLS
proxy support as well. Some notes on the current status (at commit
4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]):

a) There were a few problems with OpenPGP key handling in GnuTLS, which
required workarounds. Kudos to Nikos for very fast help with debugging
(you can see our conversation in the comments to [1])! The bugs should
be fixed in GnuTLS 3.3.12 and newer, so the workarounds use version
guards. However, I haven't actually tested with a version newer than
3.3.8 yet, so it would be great if someone could do that.

b) Using the new key handling API should make it possible to use PKCS
#11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
welcome reports, and it would be even better if anyone could write PKCS
#11 test cases using a simulated HSM (maybe SoftHSM would work?).

c) At the moment, proxy TLS connections support only file based X.509

Sadly, I can't make an upstream release, but I'd like to hear how this
works for you.


[2] https://github.com/airtower-luna/mod_gnutls/tree/new-gnutls-api

More information about the mod_gnutls-devel mailing list