I tried posting the following to the openssl-users list, but it seems that my requests
for subscription and my post regarding the following issue went into the ether. I'll
quote what I wrote earlier, and although this question is more an openssl issue than
modssl, I am sure some people here will have dealt with this.
--- BEGIN-CROSSPOST-----
I can't seem to see anything in the mail archives for the openssl-* lists, so here
goes...
Sun has a hardware crypto accelerator based on the Rainbow Cryptoswift chip, and claim
support for OpenSSL. Indeed, they ship a set of patches versus 0.9.4. Can anyone
indicate what the state is of support for the Sun Crypto Accelerator 1 Board in
0.9.6a-engine? I know the Rainbow product is working, but the Sun product seems to be
quite different.
I built 0.9.6a-engine under Solaris 8 and have the hardware device configured. Sun
ships a library called "libswift.so" (a link to "libswift.so.5.2.2"), along with
libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and iPlanet
(cryptoki.jar, libcryptoki22.so).
When I try and do an "./openssl speed rsa1024 -engine cswift" I see:
> engine "cswift" set.
> Doing 1024 bit private rsa's for 10s: RSA sign failure
> 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request
> failed:hw_cswift.c:524:CryptoSwift error number is -10004
> 1 1024 bit private RSA's in 0.90s
> Doing 1024 bit public rsa's for 10s: RSA verify failure
> 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request
> failed:hw_cswift.c:413:CryptoSwift error number is -10004
> 1 1024 bit public RSA's in 0.71s
> OpenSSL 0.9.6a [engine] 5 Apr 2001
> built on: Mon May 21 15:42:29 WST 2001
> options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long)
> idea(int) blowfish(ptr)
> compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall
> -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM
> sign verify sign/s verify/s
> rsa 1024 bits 0.0900s 0.7100s 11.1 1.4
Compared to without trying to use the cswift:
> sign verify sign/s verify/s
> rsa 1024 bits 0.0287s 0.0016s 34.9 642.1
Not exactly "accelerating" much... ;)
Does anyone have one of these boards working correctly with 0.9.6a-engine? Is there
support for the Sun board in 0.9.6a-engine? My tests with cstest shows that the
standard build of 0.9.6a-engine (with no options passed to config) is not using the
crypto card by default. Is there something that must be done to get this working in
this case?
Interestingly, http://morpheus.dcs.it.mtu.edu/~tcpiket/cryptocard/ claims success
compiling OpenSSL with the Sun board with "Configure solaris-sparcv8-cc
-L/usr/local/lib threads shared -ldl", and while I have gcc, I tried
solaris-sparcv9-gcc instead, but this failed (ld doesn't like the options generated).
I rebuild OpenSSL with the -ldl option to "config", and retested, using both an
LD_LIBRARY_PATH that included the directory containing the Sub supplied "libswift.so",
and then with LD_PRELOAD for the exact library, but with no joy.
--- END--CROSSPOST---
So, are there modssl users using the Sun product?
TIA,
James
--
James Bromberger,
Senior Web/Systems Administrator, JDV
+61 8 9268 2909, +61 417 322 500
Fax: +61 8 9268 0200
JDV - e-Commerce and Outsourcing Solutions for Financial Services
http://www.jdv.com/
Any securities recommendation contained in this document is unsolicited general
information only. Do not act on a recommendation without first consulting your
investment advisor to determine whether the recommendation is appropriate for your
investment objectives, financial situation and particular needs.
JDV believes that any information or advice (including any securities recommendation)
contained in this document is accurate when issued. However, JDV does not warrant its
accuracy or reliability. JDV, its officers, agents and employees exclude all liability
whatsoever, in negligence or otherwise, for any loss or damage relating to this
document to the full extent permitted by law.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]