CODEWITHSUNDEEP
nginxpkcs#11hardware-security-modulesofthsm
Latte Xu
Latte Xu

Reputation: 29

Nginx fails to do handshake using pkcs11 key if running in docker container

Error:

 SSL_do_handshake() failed (SSL: error:41800082:PKCS#11 module::Object handle invalid error:0A080006:SSL routines::EVP lib) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:10001

I am setting up a nginx proxy. It requires to use HSM for TLS offloading. So I configure nginx that enables ssl_engine pkcs11;; instead of indicating ssl_certificate_key file path, I use pkcs11 URI to point to the private key in HSM.



error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}
ssl_engine pkcs11;

http {

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    server {
        
        listen 10001 ssl;
        ssl_protocols    TLSv1.2 TLSv1.3;
        server_name www.wannacoffee.com wannacoffee.com;
        server_name www.wannacoffee.com wannacoffee.com;
        ssl_certificate /etc/ssl/certs/bundle.proxy.crt;
        ssl_certificate_key "engine:pkcs11:pkcs11:token=mimi;object=nginxProxy;type=private?pin-value=1234";
        ssl_trusted_certificate  /etc/ssl/certs/spki.cert.pem;

        root /usr/share/nginx/html;
        index index.html;  
        
        
        access_log off;
        location / {
            return 200;
            default_type text/plain;
         }



    
    }    

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format ssl_handshake '$remote_addr - $remote_user [$time_local] '
                             '"$request" $status $body_bytes_sent '
                             '"$http_referer" "$http_user_agent" '
                             '$ssl_protocol $ssl_cipher $ssl_session_reused';
       
    access_log  /var/log/nginx/access.log  main; 
    access_log /var/log/nginx/ssl_handshake.log ssl_handshake;
    # sendfile        on;
    #tcp_nopush     on;

    # keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

I used pkcs11-tool and softhsm-util to make sure that the object is available and able to use to sign something with openssl. pkcs11 engine is available in openssl configuration. When I test this configuration in localhost, this nginx configuration works. However when I move it to docker container, and install nginx and pkcs11 in the same container, and set up this configuration, here is the error when I tried to curl:

2024/09/24 14:47:33 [debug] 234#234: timer delta: 7664
2024/09/24 14:47:33 [debug] 234#234: worker cycle
2024/09/24 14:47:33 [debug] 234#234: epoll timer: 60000
2024/09/24 14:47:33 [debug] 234#234: epoll: fd:3 ev:0001 d:00007FF7AAD051E0
2024/09/24 14:47:33 [debug] 234#234: *3 http check ssl handshake
2024/09/24 14:47:33 [debug] 234#234: *3 http recv(): 1
2024/09/24 14:47:33 [debug] 234#234: *3 https ssl handshake: 0x16
2024/09/24 14:47:33 [debug] 234#234: *3 tcp_nodelay
2024/09/24 14:47:33 [debug] 234#234: *3 reusable connection: 0
2024/09/24 14:47:33 [debug] 234#234: *3 SSL server name: "nginx-proxy"
2024/09/24 14:47:33 [debug] 234#234: *3 SSL ALPN supported by client: h2
2024/09/24 14:47:33 [debug] 234#234: *3 SSL ALPN supported by client: http/1.1
2024/09/24 14:47:33 [debug] 234#234: *3 SSL ALPN selected: http/1.1
2024/09/24 14:47:33 [debug] 234#234: *3 SSL_do_handshake: -1
2024/09/24 14:47:33 [debug] 234#234: *3 SSL_get_error: 1
2024/09/24 14:47:33 [crit] 234#234: *3 SSL_do_handshake() failed (SSL: error:41800082:PKCS#11 module::Object handle invalid error:0A080006:SSL routines::EVP lib) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:10001
2024/09/24 14:47:33 [debug] 234#234: *3 close http connection: 3
2024/09/24 14:47:33 [debug] 234#234: *3 event timer del: 3: 4152819210
2024/09/24 14:47:33 [debug] 234#234: *3 reusable connection: 0
2024/09/24 14:47:33 [debug] 234#234: *3 free: 000055AD4F73A7A0, unused: 133
2024/09/24 14:47:33 [debug] 234#234: timer delta: 0
2024/09/24 14:47:33 [debug] 234#234: worker cycle
2024/09/24 14:47:33 [debug] 234#234: epoll timer: -1

Upvotes: 1

Views: 58

Answers (0)

Related Questions