mod_ssl and Sun Crypto Card

mod_ssl and Sun Crypto Card

am 06.11.2003 19:40:21 von Ming.Yu

I have a SunFire system that has a Sun Crypto Card 1000 pre-installed. The
mod_ssl came with the card only supports apache 1.3.12 or apache 1.3.22.
How to configure and compile the mod_ssl so that it can support the Crypto
card? - Thanks in advance

- Ming Yu
- Johns Hopkins Univ. APL

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Providers of hardware key storage

am 08.11.2003 05:23:46 von Francisco Corella

Hi Goetz,

> Francisco Corella wrote:
> > I have spent several hours searching the mailing list archive looking
for
> > hardware key storage solutions compatible with mod_ssl. NCipher
provides
> > one. Are there any others? I saw several emails mentioning the
existence
> > of others, but nothing concrete. One email mentioned Broadcom in
addition
> > to NCipher, but Broadcom sells chips, and I'm looking for a PCI card. I
> > have concacted several manufacturers of SSL accelerators but haven't
been
> > able to get any answers concerning key storage except from NCipher.
>
> OpenSSL comes with build in support for different
> crypto hardware (called ENGINE, in crypto/engine/).
> But support for additional crypto engines may be added on run time.
>
> Please search the OpenSSL web pages.

I think I understand, at least in principle, how to use hardware crypto with
mod_ssl. But there are two ways of doing it, depending of where you keep
the server key:

(a) You may keep the server key in a file specified by the directive
SSLCertificateKeyFile, and send the key to the hardware for each operation
that requires use of the key. Or,

(b) You may keep the server key in the hardware, and tell the hardware what
key to use for each operation in some ad-hoc fashion.

My understanding is that most hardware crypto uses option (a). I know that
nCipher lets you use option (a) or option (b), but using option (b) requires
buying the tamperproof card called "nForce", which is very expensive,
instead of the vanilla "nFast" card.

What I was asking is whether there is other crypto hardware out there that
lets you use option (b). I'm hoping to find something less expensive than
nForce.

Francisco


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Providers of hardware key storage

am 10.11.2003 17:38:15 von babin-ebell

This is a cryptographically signed message in MIME format.

--------------ms030404000709060102080107
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hello Francisco,

Francisco Corella wrote:
> Hi Goetz,

>>OpenSSL comes with build in support for different
>>crypto hardware (called ENGINE, in crypto/engine/).
>>But support for additional crypto engines may be added on run time.
>>
>>Please search the OpenSSL web pages.
>
> I think I understand, at least in principle, how to use hardware crypto with
> mod_ssl. But there are two ways of doing it, depending of where you keep
> the server key:
>
> (a) You may keep the server key in a file specified by the directive
> SSLCertificateKeyFile, and send the key to the hardware for each operation
> that requires use of the key. Or,
>
> (b) You may keep the server key in the hardware, and tell the hardware what
> key to use for each operation in some ad-hoc fashion.
>
> My understanding is that most hardware crypto uses option (a). I know that
> nCipher lets you use option (a) or option (b), but using option (b) requires
> buying the tamperproof card called "nForce", which is very expensive,
> instead of the vanilla "nFast" card.
>
> What I was asking is whether there is other crypto hardware out there that
> lets you use option (b). I'm hoping to find something less expensive than
> nForce.

Eracom has a crypto card.
It is accessed with a PKCS#11 interface.

There are several PKCS#11 ENGINE implementations for OpenSSL
available.
(One from Bull, one from eracom, may be others)

Have a look at one of these.


Bye

Goetz

--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126

--------------ms030404000709060102080107
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIIkDCC
BEQwggOtoAMCAQICDwCQHgAAAAJOQu0jEgf3pTANBgkqhkiG9w0BAQUFADCB vDELMAkGA1UE
BhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4 BgNVBAoTMVRD
IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdt YkgxIjAgBgNV
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEW GmNlcnRpZmlj
YXRlQHRydXN0Y2VudGVyLmRlMB4XDTAzMDIxMDE0NDI1MFoXDTA0MDIxMDE0 NDI1MFowgaox
CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1i dXJnMRowGAYD
VQQKExFUQyBUcnVzdENlbnRlciBBRzEUMBIGA1UECxMLRW50d2lja2x1bmcx GjAYBgNVBAMT
EUdvZXR6IEJhYmluLUViZWxsMSkwJwYJKoZIhvcNAQkBFhpiYWJpbi1lYmVs bEB0cnVzdGNl
bnRlci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB6adN6 EChrpAbT5KV1
ceRRIDAoGnz2gsBoFI2BwJLS+RpuIZfdJOepm4crg3X6LXrMKwSF/lshFeHr VPtLzabgLGyF
SujsJP0z3u7f4XNYCGHl4UbyPkYboIP9GC/DRtsknO1YfJUy/4yKBG4VjJ4A P6vZTEQey6jm
xelsK2ek4vwRfUjs/z9UcZmtj4ipiHP6IqFyydDTLarn1jWHUu2zFnJzryZ6 mXdOUPihCOFG
D+c1KFksZ1VscgDpKygTQcIg/VItmbeFkhOj9IkboOyiVKvvfhujlxmdm9AC t22MjMrB0RAb
9TR1DgXlyofwykKAK+GM8Cu8jcKaJjvfhaMCAwEAAaOB0zCB0DAMBgNVHRMB Af8EAjAAMA4G
A1UdDwEB/wQEAwIF4DA+BglghkgBhvhCAQgEMRYvaHR0cDovL3d3dy50cnVz dGNlbnRlci5k
ZS9ndWlkZWxpbmVzL2luZGV4Lmh0bWwwEQYJYIZIAYb4QgEBBAQDAgWgMF0G CWCGSAGG+EIB
AwRQFk5odHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr LXJldi5jZ2kv
OTAxRTAwMDAwMDAyNEU0MkVEMjMxMjA3RjdBNT8wDQYJKoZIhvcNAQEFBQAD gYEAObOwuCFG
0HmVvCm8llpJ3qsBqtZgFyUT0wuz8JG6CZjHn5lwvOg+8m8huKrE5oGEQIo9 EwLcFLDNVsxB
CiwjX2juU3JQl2Hs2smUyHkOqg+W0COetRp+PcDAk4hk0Mth5A3bDy3Frzyh bjpYjAZTvnsY
9+QYmJm5cGWBJK9I7kIwggREMIIDraADAgECAg8AkB4AAAACTkLtIxIH96Uw DQYJKoZIhvcN
AQEFBQAwgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYD VQQHEwdIYW1i
dXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4g RGF0YSBOZXR3
b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENB MSkwJwYJKoZI
hvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw0wMzAyMTAx NDQyNTBaFw0w
NDAyMTAxNDQyNTBaMIGqMQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy ZzEQMA4GA1UE
BxMHSGFtYnVyZzEaMBgGA1UEChMRVEMgVHJ1c3RDZW50ZXIgQUcxFDASBgNV BAsTC0VudHdp
Y2tsdW5nMRowGAYDVQQDExFHb2V0eiBCYWJpbi1FYmVsbDEpMCcGCSqGSIb3 DQEJARYaYmFi
aW4tZWJlbGxAdHJ1c3RjZW50ZXIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIB
AQCwemnTehAoa6QG0+SldXHkUSAwKBp89oLAaBSNgcCS0vkabiGX3STnqZuH K4N1+i16zCsE
hf5bIRXh61T7S82m4CxshUro7CT9M97u3+FzWAhh5eFG8j5GG6CD/Rgvw0bb JJztWHyVMv+M
igRuFYyeAD+r2UxEHsuo5sXpbCtnpOL8EX1I7P8/VHGZrY+IqYhz+iKhcsnQ 0y2q59Y1h1Lt
sxZyc68mepl3TlD4oQjhRg/nNShZLGdVbHIA6SsoE0HCIP1SLZm3hZITo/SJ G6DsolSr734b
o5cZnZvQArdtjIzKwdEQG/U0dQ4F5cqH8MpCgCvhjPArvI3CmiY734WjAgMB AAGjgdMwgdAw
DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwPgYJYIZIAYb4QgEIBDEW L2h0dHA6Ly93
d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9pbmRleC5odG1sMBEGCWCG SAGG+EIBAQQE
AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIu ZGUvY2dpLWJp
bi9jaGVjay1yZXYuY2dpLzkwMUUwMDAwMDAwMjRFNDJFRDIzMTIwN0Y3QTU/ MA0GCSqGSIb3
DQEBBQUAA4GBADmzsLghRtB5lbwpvJZaSd6rAarWYBclE9MLs/CRugmYx5+Z cLzoPvJvIbiq
xOaBhECKPRMC3BSwzVbMQQosI19o7lNyUJdh7NrJlMh5DqoPltAjnrUafj3A wJOIZNDLYeQN
2w8txa88oW46WIwGU757GPfkGJiZuXBlgSSvSO5CMYIEdzCCBHMCAQEwgdAw gbwxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTow OAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBH bWJIMSIwIAYD
VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkB FhpjZXJ0aWZp
Y2F0ZUB0cnVzdGNlbnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMAkGBSsOAwIa BQCgggJ7MBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMTEx MDE2MzgxNlow
IwYJKoZIhvcNAQkEMRYEFJYrDhD3R+uSCn1JJ2/CO7em/hmTMFIGCSqGSIb3 DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG BSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHhBgkrBgEEAYI3EAQxgdMwgdAwgbwxCzAJBgNVBAYT AkRFMRAwDgYD
VQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBU cnVzdENlbnRl
ciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQL ExlUQyBUcnVz
dENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0 ZUB0cnVzdGNl
bnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMIHjBgsqhkiG9w0BCRACCzGB06CB 0DCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcx OjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtz IEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0B CQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlAg8AkB4AAAACTkLtIxIH96UwDQYJKoZI hvcNAQEBBQAE
ggEAcg6InxXyf+WrdomlnXdfq/SbmX2oZ9i7DbFYVgahr44AaoAxSdQ09s8+ wEtd8yRj6Ox2
lRzaWZkKwKcgO/1DQDcirJMi4LffRrONnlK+Ah04ZyIkShr7Osoi0uHWhthN yveafaRYL4ZQ
cyLDUR5qrsLRRJz21n/+Njab3U5jCdETmOilWvF0mup0HnkmVLTjohJfpETN dpiCoas/Au6T
9NfmTPfeu+hQM285rwZMKUTjvpRsyupsK3jbq2y2WIlF4BgC5b6gbIteBVBu vQ/ORMz6yeQd
lyiYvUUGwvrhi88t330NMlwdqG8oTbXhV8Mt2FyOpeNpAvJLsSfKuaPtlgAA AAAAAA==
--------------ms030404000709060102080107--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org