<p>You will notice that the PR moves HSM private keys loading to child (after fork()). Some further explanation is in order:</p>
<p>Engines like AWS CloudHSM(SafeNet "gem" and "LunaCA3" engines) are wrappers around their PKCS 11 implementations. Some of these libraries do not behave predictably after fork(). For example, if the token is initialized in master, then some HSM keys loaded, the handles can become invalid in a fork()'ed child or you will get weird runtime errors.</p>
<p>GNUTLS describes this problem: <a href="https://www.gnutls.org/manual/gnutls.html#PKCS11-Initialization" rel="nofollow">https://www.gnutls.org/manual/gnutls.html#PKCS11-Initialization</a></p>
<p>Using opensc or SoftHSM2  is usually not a problem as they handle fork() properly.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/pull/1484#issuecomment-374459519">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AF36ZYqy-DZZoh-MzDS3FIMOsRIZuuyHks5tgHS0gaJpZM4SsL5H">mute the thread</a>.<img src="https://github.com/notifications/beacon/AF36ZRdQKEOLD-KyjknXhSK5fdBmXeQBks5tgHS0gaJpZM4SsL5H.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/kamailio/kamailio/pull/1484#issuecomment-374459519"></link>
  <meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/kamailio/kamailio","title":"kamailio/kamailio","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/kamailio/kamailio"}},"updates":{"snippets":[{"icon":"PERSON","message":"@aalba6675 in #1484: You will notice that the PR moves HSM private keys loading to child (after fork()). Some further explanation is in order:\r\n\r\nEngines like AWS CloudHSM(SafeNet \"gem\" and \"LunaCA3\" engines) are wrappers around their PKCS 11 implementations. Some of these libraries do not behave predictably after fork(). For example, if the token is initialized in master, then some HSM keys loaded, the handles can become invalid in a fork()'ed child or you will get weird runtime errors.\r\n\r\nGNUTLS describes this problem: https://www.gnutls.org/manual/gnutls.html#PKCS11-Initialization\r\n\r\nUsing opensc or SoftHSM2  is usually not a problem as they handle fork() properly."}],"action":{"name":"View Pull Request","url":"https://github.com/kamailio/kamailio/pull/1484#issuecomment-374459519"}}}</script>