Opened 5 years ago

Closed 5 years ago

#820 closed enhancement (wontfix)

Add neverbleed support

Reported by: HLFH@… Owned by:
Priority: major Milestone: 1.9.6
Component: nginx-core Version: 1.9.x
Keywords: neverbleed, heartbleed Cc:
uname -a: Linux arch-server 4.2.3-1-ARCH #1 SMP PREEMPT Sat Oct 3 18:52:50 CEST 2015 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.5
built with OpenSSL 1.0.2d 9 Jul 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-mail --with-mail_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_v2_module --with-http_ssl_module --with-http_stub_status_module --with-http_addition_module --with-http_degradation_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_sub_module --with-threads --with-stream

Description

Hi,

[Neverbleed](https://github.com/h2o/neverbleed) is a privilege separation engine for OpenSSL / LibreSSL that runs RSA private key operations in an isolated process, thereby minimizing the risk of private key leak in case of vulnerability such as Heartbleed.

Please support it to increase the security of Nginx.

Thanks in advance,

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: wontfix
Status: newclosed

As of nginx 1.7.9+, loading of secret keys via arbitrary OpenSSL engines is supported, and this allows to store store keys even on hardware tokens, as well as in isolated processes. There is no need to reinvent the wheel.

Note: See TracTickets for help on using tickets.