Bug 1236526

Summary: Proper PKCS #11 support in nginx
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: nginxAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: athmanem, bperkins, jamielinux, jeremy, jkaluza, pavel.lisy, peter.borsa, sauchter, wtogami
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 15:06:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1217915, 1218797, 1233593, 1235284, 1271501    
Bug Blocks: 1173546    

Description Nikos Mavrogiannopoulos 2015-06-29 11:15:04 UTC 
Description of problem:
Currently nginx supports PKCS #11 via engine_pkcs11, but this support is broken in various ways.
1. PKCS #11 URLs cannot be loaded (see #1233593), the URLs have to be specified as "engine:pkcs11:pkcs11:xxx", which defeats the purpose of using PKCS #11 URLs in the first place (see #1173546).
2. nginx by default uses the fork model and PKCS #11 requires special handling of forking processes. That special handling is not there, making any HSMs and software security modules unusable (on softhsm works incidentally) - see #1235284.
3. p11-kit has a deadlock on fork making engine_pkcs11 (as used by nginx) unusable.

Steps to Reproduce:
1. Configure a PKCS #11 module
2. Specify PKCS #11 URLs as "engine:pkcs11:URL" in the configuration file
3. Run nginx and try to connect to HTTPS port

Actual results:
Crash or deadlock.

Expected results:
Normal operation.
Comment 1 Nikos Mavrogiannopoulos 2015-06-30 09:32:44 UTC 
I'm adding another related issue.
4. Any HSMs used via opensc will fail, because opensc has a bug on fork(). See #1218797. Fortunately there no major HSMs supported via opensc (mostly smart cards).
Comment 2 Nikos Mavrogiannopoulos 2015-09-22 07:14:54 UTC 
Added #1265106 which prevents p11-kit from being usable using the Fedora's SELinux policy for web servers.
Comment 3 Fedora End Of Life 2016-07-19 15:06:56 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.