[Libwebsockets] Private key in SSL

Andy Green andy at warmcat.com
Fri Jun 10 07:00:23 CEST 2016



On June 10, 2016 12:45:09 PM GMT+08:00, techi eth <techieth at gmail.com> wrote:
>Flash area which is accessible by user how have password to access but
>by
>reading PKI document i understand  private key shoudln't be in memory
>area
>where user have access.

That is ideally true... but out of the box openssl and the other ssl solutions require that it is in userland memory though.

>I was reading through & found couple of solution which will do secure
>TLS
>handshake like TPM & OpenSSL compatible engines.Please find below link
>for
>same.
>
>https://en.wikipedia.org/wiki/Trusted_Platform_Module
>https://wiki.openssl.org/index.php/Binaries

I think these integrate to openssl, out of scope for lws.

If you create an openssl that uses those crypto backends, plus or minus whatever config is needed, it should just work.  You'd put your cert + key into the backend separately and lws would not know or care its ssl requests were being handled by it.

If there is a need to set flags on openssl or whatever to make it work, let me know what is needed (or send patches) and I'll try to add it.  But maybe nothing needed in lws, since you'll have your own customized openssl at that point.

-Andy

>
>
>On Fri, Jun 10, 2016 at 9:42 AM, Andy Green <andy at warmcat.com> wrote:
>
>>
>>
>> On 06/10/2016 11:41 AM, techi eth wrote:
>>
>>> Is their any way by which private key taken by libwebsocket is not
>from
>>> file or open memory area ?
>>>
>>> My question coming from security aspect, I understand private key
>>> shouldn't be kept in open memory area due to security.
>>>
>>
>> Can you explain what a "not open memory area" looks like?
>>
>> -Andy
>>
>>
>>>
>>>
>>> _______________________________________________
>>> Libwebsockets mailing list
>>> Libwebsockets at ml.libwebsockets.org
>>> http://libwebsockets.org/mailman/listinfo/libwebsockets
>>>
>>>




More information about the Libwebsockets mailing list