Bug 1236526 - Proper PKCS #11 support in nginx
Summary: Proper PKCS #11 support in nginx
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: nginx
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1217915 1218797 1233593 1235284 1271501
Blocks: PKCS11
TreeView+ depends on / blocked
 
Reported: 2015-06-29 11:15 UTC by Nikos Mavrogiannopoulos
Modified: 2016-07-19 15:06 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 15:06:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Nikos Mavrogiannopoulos 2015-06-29 11:15:04 UTC
Description of problem:
Currently nginx supports PKCS #11 via engine_pkcs11, but this support is broken in various ways.
1. PKCS #11 URLs cannot be loaded (see #1233593), the URLs have to be specified as "engine:pkcs11:pkcs11:xxx", which defeats the purpose of using PKCS #11 URLs in the first place (see #1173546).
2. nginx by default uses the fork model and PKCS #11 requires special handling of forking processes. That special handling is not there, making any HSMs and software security modules unusable (on softhsm works incidentally) - see #1235284.
3. p11-kit has a deadlock on fork making engine_pkcs11 (as used by nginx) unusable.

Steps to Reproduce:
1. Configure a PKCS #11 module
2. Specify PKCS #11 URLs as "engine:pkcs11:URL" in the configuration file
3. Run nginx and try to connect to HTTPS port

Actual results:
Crash or deadlock.

Expected results:
Normal operation.

Comment 1 Nikos Mavrogiannopoulos 2015-06-30 09:32:44 UTC
I'm adding another related issue.
4. Any HSMs used via opensc will fail, because opensc has a bug on fork(). See #1218797. Fortunately there no major HSMs supported via opensc (mostly smart cards).

Comment 2 Nikos Mavrogiannopoulos 2015-09-22 07:14:54 UTC
Added #1265106 which prevents p11-kit from being usable using the Fedora's SELinux policy for web servers.

Comment 3 Fedora End Of Life 2016-07-19 15:06:56 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.