[y0ghur7_xxx]

> Ideally you'd want your TLS keys to be stored in an HSM

Does an open spec HSM module exist? I can be somehow sure that linux and apache/nginx don't have backdoors as the source is audited by many people, but I need to be "sure" of my HSM too.

[praseodym]

There's an open-source software HSM: http://www.opendnssec.org/softhsm/

[remosi]

It runs in process tho, so it would have had the exact same result with heartbleed. Its keys need to be readable to that user, so exploits like http://blog.detectify.com/post/82370846588/how-we-got-read-a... would also still leak your private keys. So no net win here unfortunately.

opencryptoki has a softhsm too, but again, it appears to run in process. Same problems.

[erikano]

Is SoftHSM meant for production use? I get a feeling it's not (but am not lure), based on this sentence:

> You can use it to explore PKCS #11 without having a Hardware Security Module.