Bug 1233593
| Summary: | nginx cannot load PKCS #11 URLs | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | ||||||
| Component: | nginx | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> | ||||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 22 | CC: | athmanem, bperkins, dwmw2, jamielinux, jeremy, jkaluza, pavel.lisy, peter.borsa, wtogami | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-07-19 14:55:05 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1173546, 1236526 | ||||||||
| Attachments: |
|
||||||||
|
Description
Nikos Mavrogiannopoulos
2015-06-19 09:03:38 UTC
Created attachment 1040926 [details]
Proposed patch
This patch seems to address the issue for me. I'm not familiar with nginx codebase though and may not be appropriate. Note, that while investigating this, I realized that nginx doesn't initialize the engine (that patch addresses that issue as well).
Most of the instructions given in that mailing list post you reference, should die.
You shouldn't need to create an openssl.cnf to configure the engine. It should automatically load p11-kit-proxy.so as the default provider if no other is specified, which will Do The Right Thing.
You can load it just with ENGINE_by_id("pkcs11").
We shouldn't require explicit configuration of the engine in the nginx config either — that 'ssl_engine pkcs11' shouldn't be needed. Whenever the "filename" for the key or cert are a PKCS#11 URI, that should be done transparently.
See the patches I sent to fix wpa_supplicant along basically the same lines:
http://lists.shmoo.com/pipermail/hostap/2014-December/031550.html
Created attachment 1040957 [details] Patch set to support PKCS #11 URLs This patch set simplifies the specification of PKCS #11 URLs. It allows to directly specify such a URL in the ssl_certificate_key field, as long as it is quoted. That is as: ssl_certificate_key "pkcs11:model=SoftHSM..." This is in accordance to our guidelines: https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling A minimal patch was sent upstream: http://mailman.nginx.org/pipermail/nginx-devel/2015-June/007074.html Jamie, please provide input. If you have no time to handle it, please provide me with access to address the issue after I coordinate with upstream. Hi Nikos. Happy to add you as co-maintainer! Please request permissions on pkgdb and I'll approve. I've applied for permissions. Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |