I think if we have an entry to represent OpenSSL v3.0's querystrings, it will be much more useful. Because it helps to for example enable fips by passing that querystring to algorithms. This cannot be achieved via configuration file well. Something like this:

ssl_provider_query_string "fips=yes"

Though, it is completely openssl related configuration.

Hello@bavshin-f5, very interesting.
Today, without this change, is it possible to rely solely on a provider to retrieve key and certificate for HTTPS connection?

It seems to me that specifying thessl_certificate andssl_certificate_key are still mandatory. I don't have these paths, since I would like to rely on my provider to load the keys from my tamper-resistant chip.

I think this newssl_provider directive would allow doing what I would like to do?

@josuerocha
It is possible to use provider right now from PR#436 which is merged on the master even without this PR is your provider supports STORE_API.

Thank you for your response,@afshinpir .

I have a more specific follow-up question:

As of NGINX version 1.25.4, is it possible to configure OpenSSL providers, via an OpenSSL configuration file, in such a way that the provider's key and certificate can be used by NGINX to establish TLS connections?

From what I understand, the pull request you referenced enables selecting specific keys. However, is it also possible for the provider to expose a default key that NGINX could use without explicitly selecting it?