In message <5B8F45EA-5867-4832-916A-6B31A323A59C at temme.net> on Sat, 20 Feb 2016 12:40:38 -0800, Sander Temme <sander at temme.net> said: sander> sander> > On Feb 19, 2016, at 3:31 AM, Matt Caswell <matt at openssl.org> wrote: sander> sander> OK that made our support lines blow up so yes there is interest. sander> sander> Disclaimer: I work for Thales but do not speak for Thales. sander> sander> > So it seems that for chil there may possibly be some rare use (but even sander> > the most recent evidence is 4 years old). However the OpenSSL dev team sander> > do not have access to this hardware to maintain the engine and (as noted sander> > above) this is currently not building in 1.1.0. sander> sander> I think (again, personal impression) that this is one of those sander> sleeper integrations that a lot of people use but doesn?t get sander> on the radar a whole lot. Using openssl is by far the easiest sander> way to get the nShield HSM to do something with protected sander> keys? as long as those are RSA keys. Pair that with existing sander> application integrations like Apache, OpenSSH, etc. I know of sander> a number of customers and partners, none of whom I am at sander> liberty to discuss (although they might speak up for sander> themselves), who use OpenSSL with nShield for various sander> applications. Oh, nShield? Back when I was playing with e_chil.c, it was nCipher. But, no matter really... sander> So it?s not dead. What it does, it does very well. If sander> anything, the lack of visible activity may indicate how easy sander> CHIL is to use and support. The trouble is that we can't verify that. We don't have the hardware or the expertise. Even the few of us that got to play with a nCipher box 15+ years ago don't have that around any more. So there's that pile of code that no one dares to touch because we have no idea what the effects might be and have no way of testing that. With all that in mind, I've a question back to you... wouldn't it be more productive if Thales let an OpenSSL engine, built as a DSO, accompany the hardware? Considering you are much closer to the hardware and the expertise, it seems a bit more appropriate, doesn't it? sander> What I would like to see though is for such a PKCS#11 Engine sander> to be part of OpenSSL proper, so that our customers and sander> everyone else?s don?t have to go hunt hither and yon for bits sander> and bobs of software in order to make their hardware kit work sander> with OpenSSL. How would OpenSSL obtain a PKCS#11 Engine to sander> include in its distribution? I'm not sure if this is a problem specifically for OpenSSL to solve, or if it is a packager problem. Sometimes, the border between the two might be blurry, but... If OpenSSL is to "obtain" a PKCS#11 engine, it would probably be by writing one. It would be far easier, though, if someone would package the already existing engine_pkcs11 with OpenSSL (that packaging doesn't have to be done by the OpenSSL team), *or* with hardware distributions. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/
