[sr-dev] [kamailio/kamailio] tls: add support for OpenSSL engine and private keys in HSM (#1484)

Thu Mar 15 14:50:51 CET 2018

- add support for OpenSSL engine and loading private keys from HSM
- for when kamailio is a TLS edge proxy and needs to use HSM
- currently we initialize the engine in worker processes as PKCS#11
  libraries are not guaranteed to be fork() safe

- new config params
    - engine: name the OpenSSL engine
    - engine_config: an OpenSSL config format file used to bootstrap engines
    - engine_algorithms: list of algorithms to delegate to the engine

- tested with Gemalto SafeNet Luna (AWS CloudHSM) with RSA and EC private keys
  TLSv1.2 and PFS cipher suites

<!-- Kamailio Pull Request Template -->

<!--
IMPORTANT:
  - for detailed contributing guidelines, read:
    https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md
  - pull requests must be done to master branch, unless they are backports
    of fixes from master branch to a stable branch
  - backports to stable branches must be done with 'git cherry-pick -x ...'
  - code is contributed under BSD for core and main components (tm, sl, auth, tls)
  - code is contributed GPLv2 or a compatible license for the other components
  - GPL code is contributed with OpenSSL licensing exception
-->

#### Pre-Submission Checklist
<!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply -->
<!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above-->
<!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list -->
- [ ] Commit message has the format required by CONTRIBUTING guide
- [ ] Commits are split per component (core, individual modules, libs, utils, ...)
- [ ] Each component has a single commit (if not, squash them into one commit)
- [ ] No commits to README files for modules (changes must be done to docbook files
in `doc/` subfolder, the README file is autogenerated)

#### Type Of Change
- [ ] Small bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)

#### Checklist:
<!-- Go over all points below, and after creating the PR, tick the checkboxes that apply -->
- [ ] PR should be backported to stable branches
- [ ] Tested changes locally
- [ ] Related to issue #XXXX (replace XXXX with an open issue number)

#### Description
<!-- Describe your changes in detail -->
- add support for OpenSSL engine and loading private keys from HSM
- for when kamailio is a TLS edge proxy and needs to use HSM
- currently we initialize the engine in worker processes as PKCS#11
  libraries are not guaranteed to be fork() safe

- new config params
    - engine: name the OpenSSL engine
    - engine_config: an OpenSSL config format file used to bootstrap engines
    - engine_algorithms: list of algorithms to delegate to the engine

- tested with Gemalto SafeNet Luna (AWS CloudHSM) with RSA and EC private keys
  TLSv1.2 and PFS cipher suites
You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/1484

-- Commit Summary --

  * tls: add support for OpenSSL engine and private keys in HSM

-- File Changes --

    M src/modules/tls/tls_domain.c (178)
    M src/modules/tls/tls_mod.c (91)
    M src/modules/tls/tls_mod.h (9)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/1484.patch
https://github.com/kamailio/kamailio/pull/1484.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20180315/82b56290/attachment.html>