[openssl-users] Regarding the security of the keys

Mike Mohr akihana at gmail.com
Tue Jul 21 07:53:51 UTC 2015

Securing a system against this kind of attack can be done in several ways,
depending on the level of assurance you desire.  You might start out with


You could also implement mandatory access control and ACLs using either
grsecurity or SELinux:


Personally I prefer grsecurity, but it is not supported in mainline by any
major distribution that I am aware of.  You'll have to patch, build, and
and support your own kernel image in order to use it.  SELinux is supported
out of the box on CentOS 6 and 7, so it would probably be a good place to

If your concern is solely in the realm of protecting your RSA keys, you
might consider some HSM product from e.g. Yubico:


These tiny USB keys store the RSA keys on a secure element which is
physically tamper-resistant.  The key material never leaves the hardware
token.  However, you'd probably have to write a custom provider for
OpenSSL, and the throughput would probably only be sufficient for a very
small amount of traffic.  If you need something that can handle a higher
load, you might consider purchasing one of Cavium's cards:


However, they are 10 gigabit passthrough devices and will unwrap / re-wrap
the SSL session in hardware.  They are not cheap.

Good luck!

On Mon, Jul 20, 2015 at 11:46 PM, James <james.arivazhagan at gmail.com> wrote:

> Hi there,
> I have a concern regarding the private keys we use in the https (say
> apache) server.
> The https server links with openssl.so file, and uses the APIs provided by
> it.
> If some one build their own openssl and add few lines to print the keys
> during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH,
> may result in compromising the security of the keys.
> Does any of you faced this problem and if you could share the solution it
> would be helpful.
> regards,
> James Arivazhagan Ponnusamy
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/f599c79e/attachment-0001.html>

More information about the openssl-users mailing list