Hi!
I try to use a pkcs11 smart card (eToken) to store the web server's
private key with apache&mod_ssl.
From the strace output it seems that mod_ssl successfully loads the
pkcs11 engine.
However it does not seem to find the pkcs11 library.
Given that I see no attempt to load openssl.cnf, this is understandable
in retrospective.
As far as I can see mod_ssl does a call to ENGINE_by_id(const char *id)
with the id I have given in the configuration ("pkcs11" in this case)
but no attempt to do do further engine-related configuration.
The .so for the engine does get loaded, but it cannot figure out which
pkcs11 module to use.
Is there some way to directly tell the module path to the pkcs11 engine?
(I was trying environment variables like OPENSSL_CONF and MODULE_PATH
with no success.)
If not, what calls should I strategically insert to the mod_ssl source
to make this work?
This is my openssl.cnf, and it does work with openssl command line:
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /lib/libeToken.so.8
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
