[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support

Thomas Klute thomas2.klute at uni-dortmund.de
Sun Apr 26 22:25:25 CEST 2015

Am 22.04.2015 um 11:40 schrieb Nikos Mavrogiannopoulos:
> On Tue, Apr 21, 2015 at 11:34 PM, Thomas Klute
> <thomas2.klute at uni-dortmund.de> wrote:
>> b) Using the new key handling API should make it possible to use PKCS
>> #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
>> welcome reports, and it would be even better if anyone could write PKCS
>> #11 test cases using a simulated HSM (maybe SoftHSM would work?).
> In gnutls I use an automated test suite with softhsm. It generates
> keys using softhsm and then runs gnutls-serv and gnutls-cli.
> https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11
> https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11.softhsm
> The test suite assumes that softhsm is configured with p11-kit.

Thank you for the hint! I've successfully tested a PKCS #11
configuration with SoftHSM, though I didn't get around to writing an
automated test yet. :-)

By the way, is there any reason not to call gnutls_pkcs11_add_provider
after gnutls_global_init (without a previous call to gnutls_pkcs11_init)
as long as mixing the new provider with system defaults is not a
problem? It doesn't seem to be the expected case in the PKCS #11
Initialization chapter [1] of the GnuTLS documentation, but the API
documentation doesn't warn against it either.

> For deployment one would have to use softhsm over caml-crush (to
> ensure that the server has no access to keys):
> https://github.com/ANSSI-FR/caml-crush/wiki
>> Sadly, I can't make an upstream release, but I'd like to hear how this
>> works for you.
> Would it make sense to fork the project?

I'm seriously considering that, though I'd really like to keep the name
and some kind of continuity, in particular because I expect that would
make it easier to get new releases into distributions. :-/

Your mail wasn't forwarded over the mailing list for some reason, but
since you kept in on CC I've done the same.


[1] http://www.gnutls.org/manual/html_node/PKCS11-Initialization.html

More information about the mod_gnutls-devel mailing list