-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 2014-08-06 at 13:47 -0400, Tomas Hozza wrote: > Basically we want to enable user to use native-pkcs11 with SoftHSM > if needed. However by default have named running without it.
RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs11 provider that is just an interface into openssl? --enable-native-pkcs11 \ --with-pkcs11=pkcs11-openssl-shim Bind uses native pkcs11, but the default .so it loads just redirects all the calls into openssl. Bind will ask it to generate keys, and will assume that that provider will keep the private key part. So we still don't end up with the original /var/named/K*.private files. Well, this new provider is *only* used by bind, so it could run under the bind user account, have selinux access to /var/named, and keep its private key data in files, possibly in a new /var/named/pkcs11-openssl- shim directory. With this scheme, we would not need the -pkcs11 rpm subpackages, but could use /etc/sysconfig/named to control the switch between providers. Does redhat want to write (or fund the writing of) such a shim provider? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlW6W8EACgkQL6j7milTFsHfTwCfV02OgTJN/itdtTxoa25l/lH0 HdIAniOiPxtE30SklCaADGFDRdY4ttNl =+SfE -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
