[mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Apr 22 11:40:22 CEST 2015
On Tue, Apr 21, 2015 at 11:34 PM, Thomas Klute
<thomas2.klute at uni-dortmund.de> wrote:
> Hi everyone!
> I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to
> use the newer GnuTLS key handling API with my TLS proxy support. You can
> find the result in the master branch of my Github repository:
> https://github.com/airtower-luna/mod_gnutls
> I had merged Nikos' patch with my bugfixes and test suite improvements a
> while ago (see [2]), but then didn't have time to merge with the TLS
> proxy support as well. Some notes on the current status (at commit
> 4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]):
Very nice work.
> b) Using the new key handling API should make it possible to use PKCS
> #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd
> welcome reports, and it would be even better if anyone could write PKCS
> #11 test cases using a simulated HSM (maybe SoftHSM would work?).
In gnutls I use an automated test suite with softhsm. It generates
keys using softhsm and then runs gnutls-serv and gnutls-cli.
https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11
https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11.softhsm
The test suite assumes that softhsm is configured with p11-kit.
For deployment one would have to use softhsm over caml-crush (to
ensure that the server has no access to keys):
https://github.com/ANSSI-FR/caml-crush/wiki
> Sadly, I can't make an upstream release, but I'd like to hear how this
> works for you.
Would it make sense to fork the project?
regards,
Nikos
More information about the mod_gnutls-devel
mailing list