Ubuntu
apache2 package

  1. Bug #2050017
  2. Comment #27

Comment 27 for bug 2050017

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

> Regarding the pkcs11-sign-provider: Did you upgrade it to the 1.0.1 release?

Yes, I was using 1.0.1 from noble:

openssl-pkcs11-sign-provider 1.0.1-0ubuntu1

And pkcs11-provider 0.3-1.

> Note: I would NOT recommend to use 'openssl -provider xxxx', but configure the provider in the OpenSSL
> config file

It's what I did. openssl list -providers works without further options, indicating the system-wide openssl config file is loading the module:

$ openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.10
    status: active
  pkcs11sign
    name: PKCS11 signing key provider
    version: 1.0.1
    status: active

I think apache is not even trying, or not able, to load the private key from softhsm2. When I start it in the foreground with -X, it doesn't prompt for the pin. And it doesn't change if I give the pin-value in the pkcs11 URI or not. More investigation/testing is needed. This setup is somewhat complex, involving multiple libraries from different source packages, it's quite possible I did something wrong.