[Opendnssec-user] Network enabled SoftHSM

Casper Gielen c.gielen at uvt.nl
Tue Apr 12 11:54:37 UTC 2011

I'm constructing a network enabled version of SoftHSM. Although it's
not yet complete I think it is time to share my work with the world.

I post this now because I'm looking for feedback on the general design 
and I hope that other users will be able to help me develop this into
a complete solution.
If anybody knows of any other way of doing PKCS11/(soft)HSM over the 
network I would be interested to know about it.


My HSM consists of three parts: softhsm, pkcs11-proxy and stunnel

softHSM is the backend which handles most of the work.
pcks11-proxy speaks pkcs11 over the network.
stunnel is a general-purpose ssl-wrapper to make the entire thing secure 
against network-sniffing.


ods-signer -> libpkcs11-proxy.so -> stunnel-client ->
<the network> ->
stunnel-server -> pkcs11-proxy-daemon -> libsofthsm.so


The system works, but is not stable. Small scale tests work fine, but it 
crashes during longer runs. I'm not sure which part should be blamed but 
I'm confident that it can be fixed.

I'm willing to share my configs if anybody is interested, just ask.
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list