使用 mod gnutls 错误配置 Apache2 网络服务器

使用 mod gnutls 错误配置 Apache2 网络服务器

apache2 mod_gnutls https 服务实际上成功运行,但在尝试从 pkcs11 URL 读取私钥时始终返回此错误:

[Wed Jan 20 13:26:25.268236 2016] [gnutls:emerg] [pid 5232:tid 140334984677248] GnuTLS: Failed to Re-Import Private Key URL 'pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private': (-300) PKCS #11 error.

使用 apache2 2.4.x 与 mod-gnutls 0.7.2 + gnutls 3.3.x

操作系统:Ubuntu Vivid

有趣的是,它不会返回证书的此类错误,只会返回私钥。

那么有什么想法吗?

更新:

这是来自 mod_gnutls.conf 的配置文件:

<IfModule mod_gnutls.c>

# The default method is to use a DBM backed cache.  It's not super fast, but
# it's portable and doesn't require another server to be running like
# memcached
#GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
#GnuTLSPIN 1234
GnuTLSCache dbm /var/cache/apache2/gnutls_cache

# mod_gnutls can optionaly use a memcached server to store SSL sessions.
# This is useful in a cluster environment, where you want all your servers to
# share a single SSL session cache
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
GnuTLSCacheTimeout 600
<VirtualHost _default_:443>

DocumentRoot "/var/www/htdocs"
ServerName localhost
ServerAdmin [email protected]
ErrorLog "/var/log/apache2/error_log"
TransferLog "/var/log/apache2/access_log"

GnuTLSEnable on
GnuTLSSessionTickets on
GnuTLSPriorities NORMAL

GNUTLSExportCertificates on
GnuTLSPIN 1234
GnuTLSCertificateFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest;object-type=cert
GnuTLSKeyFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private
</VirtualHost>
</IfModule>

答案1

您的 pkcs11 库已被注释掉:

GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so

因此mod_gnutls无法读取 HSM 上的密钥。您也可以取消注释该引脚:

GnuTLSPIN 1234

显然将其更改为您选择的 PIN。

相关内容