openssl and external card reader support in TLS

Michael Wojcik Michael.Wojcik at
Wed Oct 23 14:51:29 UTC 2019

> From: Tobias.Wolf at [mailto:Tobias.Wolf at]
> Sent: Wednesday, October 23, 2019 02:11
> Our PKCS11 module development will discontinue and therefore I can`t use it
> anymore, but the idea is great and very interesting.
> To give more details we need a callback or similar mechanism to replace the
> signature created in Certificate TLS message with our signature coming from
> the card reader.

For OpenSSL 1, the Engine mechanism is the way to do this. If you're discontinuing your PKCS#11 interface, then I think the only option is to write a custom engine.

For OpenSSL 3, I understand there's a new Provider mechanism for this purpose, but I haven't investigated it.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list