Hi there,
On Wed, 30 May 2001, James Bromberger wrote:
> I tried posting the following to the openssl-users list, but it seems that my
> requests for subscription and my post regarding the following issue went into
> the ether. I'll quote what I wrote earlier, and although this question is more
> an openssl issue than modssl, I am sure some people here will have dealt with
> this.
Yeah, there seems to have been some problems with the mail server over the
weekend. Watch this space for any admin posts on the subject ...
> Sun has a hardware crypto accelerator based on the Rainbow Cryptoswift chip,
> and claim support for OpenSSL. Indeed, they ship a set of patches versus
> 0.9.4. Can anyone indicate what the state is of support for the Sun Crypto
> Accelerator 1 Board in 0.9.6a-engine? I know the Rainbow product is working,
> but the Sun product seems to be quite different.
>
> I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
> Sun ships a library called "libswift.so" (a link to "libswift.so.5.2.2"),
> along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
> iPlanet (cryptoki.jar, libcryptoki22.so).
>
> When I try and do an "./openssl speed rsa1024 -engine cswift" I see:
>
> > engine "cswift" set.
> > Doing 1024 bit private rsa's for 10s: RSA sign failure
> > 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request
> > failed:hw_cswift.c:524:CryptoSwift error number is -10004
> > 1 1024 bit private RSA's in 0.90s
> > Doing 1024 bit public rsa's for 10s: RSA verify failure
> > 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request
> > failed:hw_cswift.c:413:CryptoSwift error number is -10004
> > 1 1024 bit public RSA's in 0.71s
> > OpenSSL 0.9.6a [engine] 5 Apr 2001
> > built on: Mon May 21 15:42:29 WST 2001
> > options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long)
> > idea(int) blowfish(ptr)
> > compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN
> > -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall
> > -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM
> > sign verify sign/s verify/s
> > rsa 1024 bits 0.0900s 0.7100s 11.1 1.4
>
>
> Compared to without trying to use the cswift:
>
> > sign verify sign/s verify/s
> > rsa 1024 bits 0.0287s 0.0016s 34.9 642.1
>
>
> Not exactly "accelerating" much... ;)
Actually, the output you quoted showed errors in first operation (for both
signing and verifying). So the stats can effectively be disregarded. As you
quote a second set of stats (without its preceeding output) it's difficult to
know whether that failed also - I think it probably did because normally the
sign/verify times are close to 10.000 s, not 0.0*** s! Please check your error
output and run any diagnostics that go with your card+drivers to check the card
and support software is working OK.
> Does anyone have one of these boards working correctly with 0.9.6a-engine? Is
> there support for the Sun board in 0.9.6a-engine? My tests with cstest shows
> that the standard build of 0.9.6a-engine (with no options passed to config) is
> not using the crypto card by default. Is there something that must be done to
> get this working in this case?
Yes, for the "openssl ***" commands (such as speed, s_client, etc), you use the
"-engine <id>" switch to specify an engine. There is also an "openssl engine"
command for listing (and if you want, testing) the engines available. I'd
recommend playing with that until you can see that openssl-based apps are using
your card OK, and only then start worrying about "speed" (which is obviously
less help in testing that the hardware is working).
For other applications (eg. mod_ssl, Apache-SSL, mail-server embellishments,
etc) you'll have to see what support, if any, they have for doing the same
thing. OpenSSL has to be instructed to use a given ENGINE - and it's possible to
have multiple ENGINEs in use at the same time for different roles and/or keys,
so it's not sufficient for openssl to just try and "pick" an ENGINE par default.
(Also, given it's generally *other* applications using the openssl libraries,
it's not a good idea to take control away from the application developer of such
things.)
> Interestingly, http://morpheus.dcs.it.mtu.edu/~tcpiket/cryptocard/ claims
> success compiling OpenSSL with the Sun board with "Configure
> solaris-sparcv8-cc -L/usr/local/lib threads shared -ldl", and while I have
> gcc, I tried solaris-sparcv9-gcc instead, but this failed (ld doesn't like the
> options generated). I rebuild OpenSSL with the -ldl option to "config", and
> retested, using both an LD_LIBRARY_PATH that included the directory containing
> the Sub supplied "libswift.so", and then with LD_PRELOAD for the exact
> library, but with no joy.
OK. Please try going through it again, but first running any tests you have to
ensure your hardware and support software is functioning as expected. Also, note
that even if the "openssl speed" command works (you have to check, your output above
showed errors in the first operation - meaning the benchmarks were useless) it
will measure the ratio of operations done to *CPU time used*. As hardware
acceleration generally means the CPU spends a lot of time waiting for the
hardware, this figure can be grossly distorted - passing the "-elapsed" switch
to "openssl speed" can give more meaningful results in this case.
> So, are there modssl users using the Sun product?
Certainly with the Cryptoswift cards - but I don't know about the rebadged Sun
stuff (how it differs in terms of hardware and/or drivers, etc).
Regards,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
