Ta Geoff,
I'll try to fill in the answers below...
On Wed, 30 May 2001, Geoff Thorpe wrote:
> On Wed, 30 May 2001, James Bromberger wrote:
<chomp>
> > I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
> > Sun ships a library called "libswift.so" (a link to "libswift.so.5.2.2"),
> > along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
> > iPlanet (cryptoki.jar, libcryptoki22.so).
> >
<chomp>
> > > 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request
> > > failed:hw_cswift.c:524:CryptoSwift error number is -10004
> > > 1 1024 bit private RSA's in 0.90s
> > > Doing 1024 bit public rsa's for 10s: RSA verify failure
> > > 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request
> > > failed:hw_cswift.c:413:CryptoSwift error number is -10004
> > > 1 1024 bit public RSA's in 0.71s
<chomp>
The above errors were with the engine "cswift". The following is the output from the
speed test without the engine, which completed with no error messages being displayed
(which is why I chomped it first time around; see below for a complete output).
> > Compared to without trying to use the cswift:
> > > sign verify sign/s verify/s
> > > rsa 1024 bits 0.0287s 0.0016s 34.9 642.1
> >
>
> Actually, the output you quoted showed errors in first operation (for both
> signing and verifying). So the stats can effectively be disregarded. As you
> quote a second set of stats (without its preceding output) it's difficult to
> know whether that failed also - I think it probably did because normally the
> sign/verify times are close to 10.000 s, not 0.0*** s! Please check your error
> output and run any diagnostics that go with your card+drivers to check the card
> and support software is working OK.
The second output is re-run and quoted in full below:
> # ./openssl speed rsa1024
> Doing 1024 bit private rsa's for 10s: 349 1024 bit private RSA's in 10.20s
> Doing 1024 bit public rsa's for 10s: 6402 1024 bit public RSA's in 10.00s
> OpenSSL 0.9.6a [engine] 5 Apr 2001
> built on: Wed May 30 12:44:49 WST 2001
> options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int)
>blowfish(ptr)
> compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -> DB_ENDIAN -DBN_DIV2W -DULTRASPARC
>-DMD5_ASM
> sign verify sign/s verify/s
> rsa 1024 bits 0.0287s 0.0016s 34.8 640.2
> Yes, for the "openssl ***" commands (such as speed, s_client, etc), you use the
> "-engine <id>" switch to specify an engine. There is also an "openssl engine"
> command for listing (and if you want, testing) the engines available.
I tried the "engine" option to get a listing:
> # ./openssl engine
> openssl:Error: 'engine' is an invalid command.
>
> Standard commands
> <chomp - command summary>
If you specify -engine with no engine specified, it says just as much... "no engine
given".
> I'd
> recommend playing with that until you can see that openssl-based apps are using
> your card OK, and only then start worrying about "speed" (which is obviously
> less help in testing that the hardware is working).
Speed isn't really what I want; using the card is. The OpenSSL speed test was just a
way of trying to determine if the lower layer in the whole Apache + mod_ssl + OpenSSL
+ crypto card are working.
> For other applications (eg. mod_ssl, Apache-SSL, mail-server embellishments,
> etc) you'll have to see what support, if any, they have for doing the same
> thing. OpenSSL has to be instructed to use a given ENGINE - and it's possible to
> have multiple ENGINEs in use at the same time for different roles and/or keys,
> so it's not sufficient for openssl to just try and "pick" an ENGINE par default.
> (Also, given it's generally *other* applications using the openssl libraries,
> it's not a good idea to take control away from the application developer of such
> things.)
Eeek. I haven't seen anything for mod_ssl to use a specific ENGINE; can someone please
point me to some doco on this?
> > Interestingly, http://morpheus.dcs.it.mtu.edu/~tcpiket/cryptocard/ claims
> > success compiling OpenSSL with the Sun board with "Configure
> > solaris-sparcv8-cc -L/usr/local/lib threads shared -ldl", and while I have
> > gcc, I tried solaris-sparcv9-gcc instead, but this failed (ld doesn't like the
> > options generated). I rebuild OpenSSL with the -ldl option to "config", and
> > retested, using both an LD_LIBRARY_PATH that included the directory containing
> > the Sub supplied "libswift.so", and then with LD_PRELOAD for the exact
> > library, but with no joy.
>
> OK. Please try going through it again, but first running any tests you have to
> ensure your hardware and support software is functioning as expected.
Well, I have the "cstest" binary that Sun ships, which probes the card and tells it's
state. It reports the number of interrupts attempted & serviced and the number of
requests attempted & serviced. My speed tests with the engine enabled do increment
this, Below is a paste from the output of "cstest":
> "$ ./cstest
> " API Version: 5.2.2
> "" Driver Version: 2.1.3
> "" Accelerators: 1
> "" Command Bitmap: 7f000000
> "" Interrupts Serviced: 194174
> "" Interrupts Received: 194174
> "" Requests Attempted: 194173
> "" Requests Completed: 194173
> ""Maximum Pending Requests: 1
> ""Current Pending Requests: 0
> ""
> "" Accelerator #: 0
> "" Last Test: 0
> "" Self Test Bitmap: 00000000
> "" Command Bitmap: 7f000000
> "" Hardware Version: 108e:61.14.7
> "" Firmware Version: 2.2.2
> "" Signature: 6f3beadd
> ""Interrupts Serviced: 194175
> ""Interrupts Received: 194175
> "" Requests Attempted: 194174
> "" Requests Completed: 194174
> "" Idle Time: 0
> "" Name: Sun Crypto Accelerator
> "" BIOS Version: 0.0.0
> ""
Interestingly, every time I run "cstest", both the number of interrupts and the
requests are all incremented by two; I assume probing the driver and card is what is
doing this. (Kind of like quantum physics, you can see what state is WAS in, but not
what state it IS in). Doing a "openssl speed rsa1024 -engine cswift" is incrementing
these numbers by big chunks. I ran te speed test straight after I took the above
output, and then re-ran "cstest", and these numbers are now around 203,898, but the
two error messages regarding CSWIFT_MOD_EXP_CRT and CSWIFT_MOD_EXP remained, and the
timings returned for timings still were bad.
Doing this with "-elapsed" showed:
> # ./openssl speed rsa1024 -engine cswift -elapsed
> engine "cswift" set.
> You have chosen to measure elapsed time instead of user CPU time.
> To get the most accurate results, try to run this
> program when this computer is idle.
> Doing 1024 bit private rsa's for 10s: RSA sign failure
> 4937:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:
> request failed:hw_cswift.c:524:CryptoSwift error number is -10004
> 1 1024 bit private RSA's in 10.00s
> Doing 1024 bit public rsa's for 10s: 7772 1024 bit public RSA's in 10.00s
> OpenSSL 0.9.6a [engine] 5 Apr 2001
> built on: Wed May 30 12:44:49 WST 2001
> options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int)
>blowfish(ptr)
> compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
> -DBN_DIV2W -DULTRASPARC -DMD5_ASM
> sign verify sign/s verify/s
> rsa 1024 bits 10.0000s 0.0013s 0.1 777.3
> Also, note
> that even if the "openssl speed" command works (you have to check, your output above
> showed errors in the first operation - meaning the benchmarks were useless) it
> will measure the ratio of operations done to *CPU time used*. As hardware
> acceleration generally means the CPU spends a lot of time waiting for the
> hardware, this figure can be grossly distorted - passing the "-elapsed" switch
> to "openssl speed" can give more meaningful results in this case.
Many thanks,
James
--
James Bromberger,
Senior Web/Systems Administrator, JDV
+61 8 9268 2909, +61 417 322 500
Fax: +61 8 9268 0200
JDV - e-Commerce and Outsourcing Solutions for Financial Services
http://www.jdv.com/
Any securities recommendation contained in this document is unsolicited general
information only. Do not act on a recommendation without first consulting your
investment advisor to determine whether the recommendation is appropriate for your
investment objectives, financial situation and particular needs.
JDV believes that any information or advice (including any securities recommendation)
contained in this document is accurate when issued. However, JDV does not warrant its
accuracy or reliability. JDV, its officers, agents and employees exclude all liability
whatsoever, in negligence or otherwise, for any loss or damage relating to this
document to the full extent permitted by law.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
