Hi Emeric, Thanks for testing. I will try repro the issues locally and report back.
Regards, Grant > On Mar 15, 2017, at 07:41, Emeric Brun <eb...@haproxy.com> wrote: > > Hi Grant, > > On 03/15/2017 12:46 PM, Emeric Brun wrote: >> Hi Grant, >> >> On 03/15/2017 12:05 PM, Emeric Brun wrote: >>> Hi Grant, >>> >>> On 02/04/2017 12:55 AM, Grant Zhang wrote: >>>> This patch set adds the basic support for OpenSSL crypto engine and >>>> async mode. >>>> >>>> Changes since V2: >>>> - support keyword "algo" >>>> - ensure SSL engines are initialized before loading certs. >>>> - limit one async fd per SSL connection >>>> - better integrate with event cache >>>> >>>> Changes since V1: >>>> - add multiple engine support >>>> - allow default algorithms to be specified for an engine >>>> - remove the support for engine identifier "all" since (a) it is not >>>> possible >>>> to specify default algorithms for all engine and (b) "all" makes it hard >>>> to >>>> figure out what engine does what crypto algorithms. >>>> - address Willy's other comments. >>>> >>> >> >> An other issue: >> >> i'm using that configuration: >> >> global >> ssl-engine qat algo RSA >> ssl-async >> tune.ssl.default-dh-param 2048 >> >> listen ss >> mode tcp >> bind 0.0.0.0:8080 >> server ssl 127.0.0.1:8443 ssl no-ssl-reuse verify none >> >> listen gg >> mode http >> bind 0.0.0.0:8443 ssl crt /root/2048.pem >> redirect location / >> >> Unable to perform a clear request through 8080. There is no is issue if i >> disable the engine or if i request directly in ssl on 8443. >> >> R, >> Emeric >> > > There is some inconsistencies between the engine and the used client: > > here the conf: > global > tune.ssl.default-dh-param 2048 > ssl-engine qat > ssl-async > > listen gg > mode http > bind 0.0.0.0:8443 ssl crt /root/2048.pem > redirect location / > > openssl s_client -connect performs well but curl failed: > emeric@ebr-laptop:~/inject$ curl -k https://10.0.0.109:8443/ > curl: (35) gnutls_handshake() failed: Bad record MAC > > > If I comment the ssl-engine line, no more issue. > > R, > Emeric > > the conf: > > > >