Description of problem: Currently nginx supports PKCS #11 via engine_pkcs11, but this support is broken in various ways. 1. PKCS #11 URLs cannot be loaded (see #1233593), the URLs have to be specified as "engine:pkcs11:pkcs11:xxx", which defeats the purpose of using PKCS #11 URLs in the first place (see #1173546). 2. nginx by default uses the fork model and PKCS #11 requires special handling of forking processes. That special handling is not there, making any HSMs and software security modules unusable (on softhsm works incidentally) - see #1235284. 3. p11-kit has a deadlock on fork making engine_pkcs11 (as used by nginx) unusable. Steps to Reproduce: 1. Configure a PKCS #11 module 2. Specify PKCS #11 URLs as "engine:pkcs11:URL" in the configuration file 3. Run nginx and try to connect to HTTPS port Actual results: Crash or deadlock. Expected results: Normal operation.
I'm adding another related issue. 4. Any HSMs used via opensc will fail, because opensc has a bug on fork(). See #1218797. Fortunately there no major HSMs supported via opensc (mostly smart cards).
Added #1265106 which prevents p11-kit from being usable using the Fedora's SELinux policy for web servers.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.