| 2024-01-21 22:19:16 |
bugproxy |
bug |
|
|
added bug |
| 2024-01-21 22:19:17 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-204743 severity-high targetmilestone-inin2404 |
|
| 2024-01-21 22:19:18 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2024-01-21 22:19:19 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
| 2024-01-21 22:19:20 |
bugproxy |
bug |
|
|
added subscriber CDE Administration |
| 2024-01-21 22:19:21 |
bugproxy |
bug |
|
|
added subscriber Boris Barth |
| 2024-01-22 11:26:30 |
Frank Heimes |
information type |
Private |
Public |
|
| 2024-01-22 11:28:42 |
Frank Heimes |
affects |
linux (Ubuntu) |
apache2 (Ubuntu) |
|
| 2024-01-22 11:29:26 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
| 2024-01-22 11:29:39 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2024-01-22 11:29:44 |
Frank Heimes |
apache2 (Ubuntu): assignee |
Skipper Bug Screeners (skipper-screen-team) |
|
|
| 2024-01-22 11:29:52 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
| 2024-01-22 11:36:50 |
Christian Ehrhardt |
apache2 (Ubuntu): status |
New |
Incomplete |
|
| 2024-01-22 11:36:56 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
| 2024-01-25 14:17:01 |
Frank Heimes |
apache2 (Ubuntu): status |
Incomplete |
Triaged |
|
| 2024-01-25 14:17:04 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Triaged |
|
| 2024-02-08 07:42:44 |
Christian Ehrhardt |
tags |
architecture-s39064 bugnameltc-204743 severity-high targetmilestone-inin2404 |
architecture-s39064 bugnameltc-204743 server-todo severity-high targetmilestone-inin2404 |
|
| 2024-02-08 14:52:58 |
Alexandre Erwin Ittner |
bug |
|
|
added subscriber Alexandre Erwin Ittner |
| 2024-02-21 09:12:21 |
Frank Heimes |
description |
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
Feature Freeze Exception (FFe):
-------------------------------
Since this may take a little longer now and noble's FF is coming up soon,
I'm pro-actively transferring this request into a feature freeze exception (FFe).
The main reason for this request is a new functionality and the use case that one wants to protect the private key of a httpd server by using a PKCS#11 based (HSM based) private key for the server instead of using a clear key.
Which would subsequently open business opportunity esp. on the s390x platform.
The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is:
"
*) mod_ssl: Support loading certificates and private keys from the
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
"
In addition a reference to Revision 1914365 seems to be useful, that provides further details:
https://svn.apache.org/viewvc?view=revision&revision=1914365
Once backports for 2.4.x are available:
- a test build in PPA will be done (and a build log can be provided)
- install and upgrade tests will be done (and an install log can be provided)
The new package should not break any other packages that depend on it,
since there are no changes in the dependencies (or package meta data in general) expected.
A description of a sample setup, incl. all affected components, can be taken from here:
https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
(The sample is based on RHEL, but except the patches discussed here,
this generally applies to other distributions as well).
'Figure - 1' provides a graphical representation of the overall use case setup.
The above sample setup does incl. test steps;
look for 'Testing' --> 'Test with Apache web server'
(Test uses "httpd -X" and "openssl s_client".)
Once an Ubuntu based Apache 2.4.x test build for noble is available,
and the logs (see above are available)
the 'ubuntu-release' team can finally be subscribed.
__________
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
|
| 2024-02-21 09:12:37 |
Frank Heimes |
summary |
[24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider |
[FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider |
|
| 2024-02-21 16:13:24 |
Andreas Hasenack |
apache2 (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2024-02-29 07:20:19 |
Frank Heimes |
description |
Feature Freeze Exception (FFe):
-------------------------------
Since this may take a little longer now and noble's FF is coming up soon,
I'm pro-actively transferring this request into a feature freeze exception (FFe).
The main reason for this request is a new functionality and the use case that one wants to protect the private key of a httpd server by using a PKCS#11 based (HSM based) private key for the server instead of using a clear key.
Which would subsequently open business opportunity esp. on the s390x platform.
The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is:
"
*) mod_ssl: Support loading certificates and private keys from the
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
"
In addition a reference to Revision 1914365 seems to be useful, that provides further details:
https://svn.apache.org/viewvc?view=revision&revision=1914365
Once backports for 2.4.x are available:
- a test build in PPA will be done (and a build log can be provided)
- install and upgrade tests will be done (and an install log can be provided)
The new package should not break any other packages that depend on it,
since there are no changes in the dependencies (or package meta data in general) expected.
A description of a sample setup, incl. all affected components, can be taken from here:
https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
(The sample is based on RHEL, but except the patches discussed here,
this generally applies to other distributions as well).
'Figure - 1' provides a graphical representation of the overall use case setup.
The above sample setup does incl. test steps;
look for 'Testing' --> 'Test with Apache web server'
(Test uses "httpd -X" and "openssl s_client".)
Once an Ubuntu based Apache 2.4.x test build for noble is available,
and the logs (see above are available)
the 'ubuntu-release' team can finally be subscribed.
__________
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
Feature Freeze Exception (FFe):
-------------------------------
Since the work on this request may take a little longer and noble's FF is
today, this request got transferred into a feature freeze exception (FFe).
The driver for this is the need to update mod_ssl in Apache2 to support
openssl 3.x providers, since engines are deprecated in openssl 3.x.
This new functionality (openssl provider support) is required for the
use case that one wants to protect the private key of a httpd server
by using a PKCS#11 based (HSM based) private key for the server
instead of using a clear key.
This would subsequently open business opportunity esp. on the s390x platform.
The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is:
"
*) mod_ssl: Support loading certificates and private keys from the
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
"
In addition the reference to Revision 1914365 seems to be useful reference,
that provides further details:
https://svn.apache.org/viewvc?view=revision&revision=1914365
Once backports for 2.4.x are available:
- a test build in PPA will be done (and a build log can be provided)
- install and upgrade tests will be done (and an install log can be provided)
The new package should not break any other packages that depend on it,
since there are no changes in the dependencies (or package meta data in general) expected.
A description of a sample setup, incl. all affected components, can be taken from here:
https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
(The sample is based on RHEL, but except the patches discussed here,
this generally applies to other distributions as well).
'Figure - 1' provides a graphical representation of the overall use case setup.
The above sample setup does incl. test steps;
look for 'Testing' --> 'Test with Apache web server'
(Test uses "httpd -X" and "openssl s_client".)
Once an Ubuntu based Apache 2.4.x test build for noble is available,
and the logs (see above are available)
the 'ubuntu-release' team can finally be subscribed.
__________
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
|
| 2024-02-29 07:20:28 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-204743 server-todo severity-high targetmilestone-inin2404 |
architecture-s39064 bugnameltc-204743 noble server-todo severity-high targetmilestone-inin2404 |
|
| 2024-03-06 15:22:18 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2024-03-06 20:54:36 |
Andreas Hasenack |
bug watch added |
|
https://github.com/latchset/pkcs11-provider/issues/310 |
|
| 2024-03-07 15:59:43 |
bugproxy |
bug watch added |
|
https://github.com/latchset/pkcs11-provider/issues/355 |
|
| 2024-03-13 15:34:36 |
Bryce Harrington |
tags |
architecture-s39064 bugnameltc-204743 noble server-todo severity-high targetmilestone-inin2404 |
architecture-s39064 bugnameltc-204743 noble severity-high targetmilestone-inin2404 |
|
| 2024-05-06 07:45:03 |
Frank Heimes |
summary |
[FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider |
[24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider |
|
| 2024-05-06 07:45:24 |
Frank Heimes |
description |
Feature Freeze Exception (FFe):
-------------------------------
Since the work on this request may take a little longer and noble's FF is
today, this request got transferred into a feature freeze exception (FFe).
The driver for this is the need to update mod_ssl in Apache2 to support
openssl 3.x providers, since engines are deprecated in openssl 3.x.
This new functionality (openssl provider support) is required for the
use case that one wants to protect the private key of a httpd server
by using a PKCS#11 based (HSM based) private key for the server
instead of using a clear key.
This would subsequently open business opportunity esp. on the s390x platform.
The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is:
"
*) mod_ssl: Support loading certificates and private keys from the
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
"
In addition the reference to Revision 1914365 seems to be useful reference,
that provides further details:
https://svn.apache.org/viewvc?view=revision&revision=1914365
Once backports for 2.4.x are available:
- a test build in PPA will be done (and a build log can be provided)
- install and upgrade tests will be done (and an install log can be provided)
The new package should not break any other packages that depend on it,
since there are no changes in the dependencies (or package meta data in general) expected.
A description of a sample setup, incl. all affected components, can be taken from here:
https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
(The sample is based on RHEL, but except the patches discussed here,
this generally applies to other distributions as well).
'Figure - 1' provides a graphical representation of the overall use case setup.
The above sample setup does incl. test steps;
look for 'Testing' --> 'Test with Apache web server'
(Test uses "httpd -X" and "openssl s_client".)
Once an Ubuntu based Apache 2.4.x test build for noble is available,
and the logs (see above are available)
the 'ubuntu-release' team can finally be subscribed.
__________
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
The driver for this is the need to update mod_ssl in Apache2 to support
openssl 3.x providers, since engines are deprecated in openssl 3.x.
This new functionality (openssl provider support) is required for the
use case that one wants to protect the private key of a httpd server
by using a PKCS#11 based (HSM based) private key for the server
instead of using a clear key.
This would subsequently open business opportunity esp. on the s390x platform.
The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is:
"
*) mod_ssl: Support loading certificates and private keys from the
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
"
In addition the reference to Revision 1914365 seems to be useful reference,
that provides further details:
https://svn.apache.org/viewvc?view=revision&revision=1914365
Once backports for 2.4.x are available:
- a test build in PPA will be done (and a build log can be provided)
- install and upgrade tests will be done (and an install log can be provided)
The new package should not break any other packages that depend on it,
since there are no changes in the dependencies (or package meta data in general) expected.
A description of a sample setup, incl. all affected components, can be taken from here:
https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine
(The sample is based on RHEL, but except the patches discussed here,
this generally applies to other distributions as well).
'Figure - 1' provides a graphical representation of the overall use case setup.
The above sample setup does incl. test steps;
look for 'Testing' --> 'Test with Apache web server'
(Test uses "httpd -X" and "openssl s_client".)
Once an Ubuntu based Apache 2.4.x test build for noble is available,
and the logs (see above are available)
the 'ubuntu-release' team can finally be subscribed.
__________
Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library.
Accepted for httpd > 2.4.58, see
https://svn.apache.org/viewvc?view=revision&revision=1914365 |
|
| 2024-05-17 12:18:44 |
Frank Heimes |
ubuntu-z-systems: status |
Triaged |
Opinion |
|
| 2024-05-17 12:18:46 |
Frank Heimes |
apache2 (Ubuntu): status |
Triaged |
Opinion |
|
