用于设置TLS连接的带有engine_ssl pkcs11的Nginx配置
请帮助我在Windows上配置nginx,以便使用基于PKCS11引擎的TLS连接 我有来自提供程序的驱动程序pkcs11 C:\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll 我的nginx.conf文件如下所示:用于设置TLS连接的带有engine_ssl pkcs11的Nginx配置,nginx,pkcs#11,Nginx,Pkcs#11,请帮助我在Windows上配置nginx,以便使用基于PKCS11引擎的TLS连接 我有来自提供程序的驱动程序pkcs11 C:\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll 我的nginx.conf文件如下所示: worker_processes 1; events { worker_connections 1024; } #nShield PKCS#11 ssl_engine pkcs11; http { ...
worker_processes 1;
events {
worker_connections 1024;
}
#nShield PKCS#11
ssl_engine pkcs11;
http {
...
server {
listen 8888;
server_name localhost;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
ssl_certificate C:/nginx-1.16.1/ssl/test_selfcert;
ssl_certificate_key "engine:pkcs11:pkcs11:token=ocs2;object=test_key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
proxy_pass http://localhost:9999/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
}
>nginx -t
nginx: [emerg] ENGINE_by_id("pkcs11") failed (SSL: error:25078067:DSO support routines:win32_load:could not load the shared library:filename(Z:\nginx\nginx-stab
le\objs.msvc8\lib\openssl-1.1.1c\openssl\lib\engines-1_1\pkcs11.dll) error:25070067:DSO support routines:DSO_load:could not load the shared library error:260B60
84:engine routines:dynamic_load:dso not found error:2606A074:engine routines:ENGINE_by_id:no such engine:id=pkcs11)
nginx: configuration file C:\nginx-1.16.1/conf/nginx.conf test failed
> openssl engine -t -c pkcs11
13112:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:dso_win32.c:179:filename(C:\Program Files\Git\mingw64\lib\engines\pkcs11.
dll)
13112:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
13112:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
13112:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:411:id=pkcs11
...
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
chil = chil_section
[chil_section]
SO_PATH=c:\\Program Files (x86)\\nCipher\\nfast\\toolkits\\hwcrhk\\nfhwcrhk.dll
#added
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Program Files\\OpenSSLx64\\bin\\pkcs11openssl64x.dll"
MODULE_PATH = "C:\\nCipher\\nfast\\toolkits\\pkcs11\\cknfast-64.dll"
init = 0
...
>nginx -t
nginx: [emerg] ENGINE_by_id("pkcs11") failed (SSL: error:25078067:DSO support routines:win32_load:could not load the shared library:filename(Z:\nginx\nginx-stab
le\objs.msvc8\lib\openssl-1.1.1c\openssl\lib\engines-1_1\pkcs11.dll) error:25070067:DSO support routines:DSO_load:could not load the shared library error:260B60
84:engine routines:dynamic_load:dso not found error:2606A074:engine routines:ENGINE_by_id:no such engine:id=pkcs11)
nginx: configuration file C:\nginx-1.16.1/conf/nginx.conf test failed
> openssl engine -t -c pkcs11
13112:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:dso_win32.c:179:filename(C:\Program Files\Git\mingw64\lib\engines\pkcs11.
dll)
13112:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
13112:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
13112:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:411:id=pkcs11
> openssl engine -t -c pkcs11 -config "C:\nCipher\nfast\lib\ssleay\openssl.cnf"
13572:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared
library:./crypto/dso/dso_win32.c:179:filename(C:\nCipher\nfast\bin\pkcs11.dll)
13572:error:25070067:DSO support routines:DSO_load:could not load the shared library:./crypto/dso/dso_lib.c:233:
13572:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:./crypto/engine/eng_dyn.c:467:
13572:error:2606A074:engine routines:ENGINE_by_id:no such engine:./crypto/engine/eng_list.c:391:id=pkcs11
13572:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:./crypto/dso/dso_win32.c:179:filename(C:\nCipher\nfast\bin\-config.dll)
13572:error:25070067:DSO support routines:DSO_load:could not load the shared library:./crypto/dso/dso_lib.c:233:
13572:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:./crypto/engine/eng_dyn.c:467:
13572:error:2606A074:engine routines:ENGINE_by_id:no such engine:./crypto/engine/eng_list.c:391:id=-config
13572:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:./crypto/dso/dso_win32.c:179:filename(C:\nCipher\nfast\lib\ssleay\\openss
l.cnf)
13572:error:25070067:DSO support routines:DSO_load:could not load the shared library:./crypto/dso/dso_lib.c:233:
13572:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:./crypto/engine/eng_dyn.c:467:
13572:error:2606A074:engine routines:ENGINE_by_id:no such engine:./crypto/engine/eng_list.c:391:id=C:\nCipher\nfast\lib\ssleay\openssl.cnf
> openssl engine -t -c pkcs11
(pkcs11) pkcs11 engine
[RSA, rsaEncryption, id-ecPublicKey]
[ available ]
>openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]
(chil) CHIL hardware engine support
[RSA, DH, RAND]
[ available ]
请帮助我为NGINX设置正确的配置,以使用TLS连接设置。我想您有一个nCipher HSM?您正在运行哪个版本的security world软件?PKCS11 DLL应已安装在安装ISO上。你已经创造了一个安全的世界吗
您的配置试图同时使用CHIL引擎和PKCS11。这是与Hardserver对话的两个不同API,选择一个,但不能同时选择两个。看起来您缺少P11引擎库;请参阅此答案,了解如何在Windows上使用它: 在Linux平台上,该组件通常通过分发存储库提供,这意味着nginx的设置要简单得多
要获得有关nShield设备的帮助,请访问:someone,并在文章中提示如何使用NGINX的驱动程序PKCS11?