On 30.07.2015 19:35, Evan Hunt wrote:
> On Thu, Jul 30, 2015 at 10:19:49AM -0700, Carl Byington wrote:
> > RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs11
> > provider that is just an interface into openssl?
> >
> > --enable-native-pkcs11 \
> > --with-pkcs11=pkcs11-openssl-s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> That in fact is exactly what SoftHSMv2 does.
Building bind with native pkcs11 pointing to SoftHSMv2 then requires
softhsm setup and pin code generation. Bind cannot automatically
generate/use keys, in the same manner as a default non-pkcs11 build.
On Thu, Jul 30, 2015 at 10:19:49AM -0700, Carl Byington wrote:
> RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs11
> provider that is just an interface into openssl?
>
> --enable-native-pkcs11 \
> --with-pkcs11=pkcs11-openssl-shim
>
> Bind uses native pkcs11, but the default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 2014-08-06 at 13:47 -0400, Tomas Hozza wrote:
> Basically we want to enable user to use native-pkcs11 with SoftHSM
> if needed. However by default have named running without it.
RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs
On Wed, Aug 06, 2014 at 02:02:33PM -0400, Tomas Hozza wrote:
> As far as I understand, without native-pkcs11 OpenSSL is used for crypto
> operations if the provided PKCS#11 library did not support some operation, or
> if the PKCS#11 provider library was not provided/was not available at all.
>
> W
- Original Message -
> On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > > Right now it is not possible, and when named is built with
> > > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > > provider library.
> >
> > Would using SoftHSM solve your proble
- Original Message -
> Tomas Hozza wrote:
>
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11
> > it can not run without HSM and some PKCS#11 provider library.
>
> Would using SoftHSM solve your problem?
No. We don't want to install SoftHSM by def
On Wed, Aug 06, 2014 at 05:14:53PM +0100, Tony Finch wrote:
> > Right now it is not possible, and when named is built with
> > --enable-native-pkcs11 it can not run without HSM and some PKCS#11
> > provider library.
>
> Would using SoftHSM solve your problem?
>
> http://www.opendnssec.org/softhsm
Tomas Hozza wrote:
> Right now it is not possible, and when named is built with
> --enable-native-pkcs11
> it can not run without HSM and some PKCS#11 provider library.
Would using SoftHSM solve your problem?
http://www.opendnssec.org/softhsm/
http://ftp.isc.org/isc/bind9/9.10.0-P2/doc/arm/Bv9
Hello.
I'm trying to figure out how can named be built with --enable-native-pkcs11
and run without the PKCS#11 provider library.
Our use-case is that given how OpenSSL does not support PKCS#11 properly,
we would like to use the the native-pkcs11 if using some HSM, but by default
run named without
10 matches
Mail list logo
