[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Apr 22 11:40:22 CEST 2015

On Tue, Apr 21, 2015 at 11:34 PM, Thomas Klute
<thomas2.klute at uni-dortmund.de> wrote:
> Hi everyone!
> I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to
> use the newer GnuTLS key handling API with my TLS proxy support. You can
> find the result in the master branch of my Github repository:
>   https://github.com/airtower-luna/mod_gnutls
> I had merged Nikos' patch with my bugfixes and test suite improvements a
> while ago (see [2]), but then didn't have time to merge with the TLS
> proxy support as well. Some notes on the current status (at commit
> 4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]):

Very nice work.

> b) Using the new key handling API should make it possible to use PKCS
> #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
> welcome reports, and it would be even better if anyone could write PKCS
> #11 test cases using a simulated HSM (maybe SoftHSM would work?).

In gnutls I use an automated test suite with softhsm. It generates
keys using softhsm and then runs gnutls-serv and gnutls-cli.
The test suite assumes that softhsm is configured with p11-kit.

For deployment one would have to use softhsm over caml-crush (to
ensure that the server has no access to keys):

> Sadly, I can't make an upstream release, but I'd like to hear how this
> works for you.

Would it make sense to fork the project?


More information about the mod_gnutls-devel mailing list