PKCS#11: OpenSSL and the KMIP and Atalla HSM Tokens
Posted by Mark Joseph on 07 March 2018 03:29 PM

Both the KMIP and Micro Focus Atalla HSM Tokens use OpenSSL to make TLS connections to a KMIP server or HSM respectively.  These tokens dynamically load OpenSSL and call into OpenSSL functions to support TLS.   Now OpenSSL also allows for the loading of a PKCS#11 library so that OpenSSL can have its keys on an HSM.   Configuring OpenSSL to load the P6R PKCS#11 library with either the KMIP or Atalla HSM is not supported and will lead to failure.   The problem is that the resulting execution will result in an infinite loop caused by recursion that eventually results in a stack overflow.   In this unsupported configuration, OpenSSL will call the P6R's PKCS#11 library which will call the KMIP or Atalla token which in turn will call OpenSSL to establish a TLS connection which in turn will call the P6R PKCS#11 library and so on and so on...   


(0 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).