Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Known issues for AWS CloudHSM hsm2m.medium instances

PDF
RSS
Focus mode
Known issues for AWS CloudHSM hsm2m.medium instances - AWS CloudHSM
Issue: Login latency increases due to increased PBKDF2 iterationsIssue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlierIssue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS modeIssue: Only the PEM-formatted certificates can be registered as mtls trust anchors with CloudHSM CLIIssue: Customer applications will stop processing all requests when using mTLS with a passphrase protected client private key.Issue: User replicate fails when using the CloudHSM CLI

The following issues impact all AWS CloudHSM hsm2m.medium instances.

Issue: Login latency increases due to increased PBKDF2 iterations

  • Impact: For increased security, hsm2m.medium performs 60,000 iterations of Password-Based Key Derivation Function 2 (PBKDF2) during login requests compared to 1,000 in hsm1.medium. This increase may result in an increased latency of up to 2 seconds (2s) per login request.

    The default timeout for the AWS CloudHSM Client SDKs is 20s. Login requests may timeout and result in an error.

  • Workaround: If possible, serialize login requests in the same application to avoid extended latency during login. Multiple login requests in parallel will cause increased latency.

  • Resolution status: Future versions of the Client SDK will have an increased default timeout for login requests to account for this increased latency.

Issue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlier

  • Impact: Any CO user attempting to set the trusted attribute of a key will receive an error indicating that User type should be CO or CU.

  • Resolution: Future versions of the Client SDK will resolve this issue. Updates will be announced in our user guide's Document history.

Issue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS mode

  • Impact: ECDSA verify operation performed for HSMs in FIPS mode will fail.

  • Resolution status: This issue has been resolved in the client SDK 5.13.0 release. You must upgrade to this client version or later to benefit from the fix.

Issue: Only the PEM-formatted certificates can be registered as mtls trust anchors with CloudHSM CLI

  • Impact: Certificates in DER format cannot be registered as mTLS trust anchors with CloudHSM CLI.

  • Workaround: You can convert a certificate in DER format to PEM format with openssl command: openssl x509 -inform DER -outform PEM -in certificate.der -out certificate.pem

Issue: Customer applications will stop processing all requests when using mTLS with a passphrase protected client private key.

  • Impact: All operations performed by the application will be halted and the user will be prompted for the passphrase on standard input multiple times throughout the lifetime of application. Operations will timeout and fail if passphrase is not provided before the operation's timeout duration.

  • Workaround: Passphrase encrypted private keys are not supported for mTLS. Remove passphrase encryption from client private key

Issue: User replicate fails when using the CloudHSM CLI

  • Impact: User replication fails on hsm2m.medium instances when using the CloudHSM CLI. The user replicate command works as expected on hsm1.medium instances.

  • Resolution: We're actively working to resolve this issue. For updates, see the Document history in the user guide.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.