content-type: text/plain; charset="utf-8"
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
Date: Sun, 3 Dec 2017 09:34:22 +0530
Content-Disposition: inline
Message-ID: <20171203040422.GA28025@jurassic.lan.banu.com>
X-Original-To: bind9-public@bugs.isc.org
MIME-Version: 1.0
Return-Path: <muks@isc.org>
X-RT-Interface: Email
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id A7963D78B0A for <bind9-public@bugs.isc.org>; Sun,  3 Dec 2017 04:04:32 +0000 (UTC)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by mx.pao1.isc.org (Postfix) with ESMTP id B47C13B7F09 for <bind9-public@isc.org>; Sun,  3 Dec 2017 04:04:30 +0000 (UTC)
Received: from jurassic.lan.banu.com (unknown [115.118.211.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id D48F656A0806; Sun,  3 Dec 2017 04:04:27 +0000 (GMT)
From muks@isc.org  Sun Dec  3 04:04:32 2017
From: "Mukund Sivaraman" <muks@isc.org>
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.1
X-RT-Original-Encoding: utf-8
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
X-RT-Incoming-Encryption: Not encrypted
In-Reply-To: <rt-4.4.1-36279-1512265912-884.46749-4-0@isc.org>
To: "Evan Hunt via RT" <bind9-public@isc.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
References: <RT-Ticket-46749@isc.org> <20171202142323.GA20227@jurassic.lan.banu.com> <rt-4.4.1-34262-1512224618-1050.46749-3-0@isc.org> <20171203015127.GA13120@isc.org> <rt-4.4.1-36279-1512265912-884.46749-4-0@isc.org>
Delivered-To: bind9-public@bugs.isc.org
RT-Message-ID: <rt-4.4.1-36279-1512273873-1350.46749-0-0@isc.org>
Content-Length: 1751

Hi Evan

On Sun, Dec 03, 2017 at 01:51:55AM +0000, Evan Hunt via RT wrote:
85;95;0c> > The description in the ARM about using BIND with PKCS #11 as OpenSSL
> > engine is very obsolete (not available any longer). This ticket should
> > update the ARM with a correct description of how to use BIND with PKCS
> > #11 OpenSSL engine on a modern distribution, with example of usage with
> > softhsm.
> 
> AFAIK the OpenSSL engine is still available (at least we're still
> shipping patches for it).

These are the patches. They're against obsolete versions of
OpenSSL. Only the 1.0.2 version is even recent, but isn't against the
latest version.

./bin/pkcs11/openssl-1.0.0t-patch
./bin/pkcs11/openssl-0.9.8zh-patch
./bin/pkcs11/openssl-1.0.2h-patch
./bin/pkcs11/openssl-1.0.1t-patch

They also are not the preferred way to get an OpenSSL PKCS #11
engine. The instructions require a custom version of OpenSSL to be built
using what we provide as crypto code, and a custom version of BIND
against it (with conditional ifdefs).

We should stop distributing the patches, and switch to use of the OpenSC
libp11 engine which can be installed as a plug-in to stock OpenSSL on
popular distributions and doesn't need any other modifications.

Also, the patches in the tree are large patches to a crypto library. Do
we want to actively develop this, be responsible for security
vulnerabilites in it?

> I agree the doc should be updated though. Native PKCS#11 is much more
> useful now and ought to be emphasized.

How is it more useful?

I want us to minimize the amount of crypto code we have in BIND tree. I
want us to drop the native PKCS #11 code and stick to the OpenSSL engine
code. With that we'll use a single crypto implementation in the tree.

		Mukund