Re: [openssl-dev] how to static compile ssl engine into openssl
> On 26 Sep 2017, at 18:13, 程文平 <chengwenpi...@jd.com > <mailto:chengwenpi...@jd.com>> wrote: > > There is some more info. > > https://github.com/01org/QAT_Engine/issues/9 > <https://github.com/01org/QAT_Engine/issues/9> Interesting. This issue was created by me last year, seems some people still struggling with combination of NGINX+OpenSSL+QAT. Our solution is just to build OpenSSL dynamically with NGINX (although usually most Chinese companies I know like to build OpenSSL statically with NGINX). > > -邮件原件- > 发件人: 程文平 > 发送时间: 2017年9月26日 17:43 > 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org> > 主题: 答复: [openssl-dev] how to static compile ssl engine into openssl > > Hi Richard, > > Thanks for your response. From your meaning, the QAT engine codes is > not applicable for static compile into openssl. > Yes, I should keep to run nginx using shared OpenSSL libraries with > dynamic QAT engines installed, until QAT engine static compiling is support. > > Thank, > > Nick Cheng > -邮件原件- > 发件人: openssl-dev [mailto:openssl-dev-boun...@openssl.org > <mailto:openssl-dev-boun...@openssl.org>] 代表 Richard Levitte > 发送时间: 2017年9月26日 13:32 > 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org> > 主题: Re: [openssl-dev] how to static compile ssl engine into openssl > > In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local > <mailto:31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local>> on > Mon, 25 Sep 2017 10:16:28 +, 程文平 <chengwenpi...@jd.com > <mailto:chengwenpi...@jd.com>> said: > > chengwenping1> I’m working on accelerating ssl traffic with Intel QAT > chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I > chengwenping1> need to static compile Intel QAT engine into openssl, and > chengwenping1> I do not find some useful info about it from Internet, > chengwenping1> although openssl-1.1.0f/engines/ build.info > <http://build.info/>, it is not > chengwenping1> applicable from QAT engine from > chengwenping1> https://github.com/01org/QAT_Engine > <https://github.com/01org/QAT_Engine>. Is there a guide > chengwenping1> line for this case? > > Unforatunately, there is no such guide that I know of. I just had a look in > e_qat.c, and there seems to be support for doing that there (see the sections > guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use > of that in their configuration. > > If this is what you really want, I suggest you create an issue in the > QAT_Engine project... but you probably need to understand that you may not > get what you want, and if you do, it's probably going to be an unsupported > hack. > > chengwenping1> There is another alternative to do it, just to alone > chengwenping1> compile openssl and nginx, but it will take effort to > chengwenping1> deploy it. > > You mean to have nginx use the shared OpenSSL libraries, which also enables > dynamic engines? Yes, that's the usual way to go about these things. > > Cheers, > Richard > > -- > Richard Levitte levi...@openssl.org <mailto:levi...@openssl.org> > OpenSSL Project http://www.openssl.org/~levitte/ > <http://www.openssl.org/~levitte/> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > <https://mta.openssl.org/mailman/listinfo/openssl-dev> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > <https://mta.openssl.org/mailman/listinfo/openssl-dev> -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] how to static compile ssl engine into openssl
> On 26 Sep 2017, at 18:13, 程文平 <chengwenpi...@jd.com > <mailto:chengwenpi...@jd.com>> wrote: > > There is some more info. > > https://github.com/01org/QAT_Engine/issues/9 > <https://github.com/01org/QAT_Engine/issues/9> Interesting. This issue was created by me last year, seems some people still struggling with combination of NGINX+OpenSSL+QAT. Our solution is just to build OpenSSL dynamically with NGINX (although usually most Chinese companies I know like to build OpenSSL statically with NGINX). > > -邮件原件- > 发件人: 程文平 > 发送时间: 2017年9月26日 17:43 > 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org> > 主题: 答复: [openssl-dev] how to static compile ssl engine into openssl > > Hi Richard, > > Thanks for your response. From your meaning, the QAT engine codes is > not applicable for static compile into openssl. > Yes, I should keep to run nginx using shared OpenSSL libraries with > dynamic QAT engines installed, until QAT engine static compiling is support. > > Thank, > > Nick Cheng > -邮件原件- > 发件人: openssl-dev [mailto:openssl-dev-boun...@openssl.org > <mailto:openssl-dev-boun...@openssl.org>] 代表 Richard Levitte > 发送时间: 2017年9月26日 13:32 > 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org> > 主题: Re: [openssl-dev] how to static compile ssl engine into openssl > > In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local > <mailto:31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local>> on > Mon, 25 Sep 2017 10:16:28 +, 程文平 <chengwenpi...@jd.com > <mailto:chengwenpi...@jd.com>> said: > > chengwenping1> I’m working on accelerating ssl traffic with Intel QAT > chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I > chengwenping1> need to static compile Intel QAT engine into openssl, and > chengwenping1> I do not find some useful info about it from Internet, > chengwenping1> although openssl-1.1.0f/engines/ build.info > <http://build.info/>, it is not > chengwenping1> applicable from QAT engine from > chengwenping1> https://github.com/01org/QAT_Engine > <https://github.com/01org/QAT_Engine>. Is there a guide > chengwenping1> line for this case? > > Unforatunately, there is no such guide that I know of. I just had a look in > e_qat.c, and there seems to be support for doing that there (see the sections > guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use > of that in their configuration. > > If this is what you really want, I suggest you create an issue in the > QAT_Engine project... but you probably need to understand that you may not > get what you want, and if you do, it's probably going to be an unsupported > hack. > > chengwenping1> There is another alternative to do it, just to alone > chengwenping1> compile openssl and nginx, but it will take effort to > chengwenping1> deploy it. > > You mean to have nginx use the shared OpenSSL libraries, which also enables > dynamic engines? Yes, that's the usual way to go about these things. > > Cheers, > Richard > > -- > Richard Levitte levi...@openssl.org <mailto:levi...@openssl.org> > OpenSSL Project http://www.openssl.org/~levitte/ > <http://www.openssl.org/~levitte/> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > <https://mta.openssl.org/mailman/listinfo/openssl-dev> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > <https://mta.openssl.org/mailman/listinfo/openssl-dev> -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] how to static compile ssl engine into openssl
In message <20170926203053.5hlfcbx273lko...@roeckx.be> on Tue, 26 Sep 2017 22:30:53 +0200, Kurt Roeckxsaid: kurt> On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote: kurt> > kurt> > You mean to have nginx use the shared OpenSSL libraries, which also kurt> > enables dynamic engines? Yes, that's the usual way to go about these kurt> > things. kurt> kurt> Do we support dynamic engines with a static build? No we don't. no-shared means no-dynamic-engine Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] how to static compile ssl engine into openssl
On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote: > > You mean to have nginx use the shared OpenSSL libraries, which also > enables dynamic engines? Yes, that's the usual way to go about these > things. Do we support dynamic engines with a static build? Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] how to static compile ssl engine into openssl
On 26/09/2017, Levitte, Richard via openssl-dev wrote: > > chengwenping1> I?m working on accelerating ssl traffic with Intel QAT > chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I > chengwenping1> need to static compile Intel QAT engine into openssl, and > chengwenping1> I do not find some useful info about it from Internet, > chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not > chengwenping1> applicable from QAT engine from > chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide > chengwenping1> line for this case? > > Unforatunately, there is no such guide that I know of. I just had a look in > e_qat.c, and there seems to be support for doing that there (see the > sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any > way to make use of that in their configuration. > > If this is what you really want, I suggest you create an issue in the > QAT_Engine project... but you probably need to understand that you may > not get what you want, and if you do, it's probably going to be an > unsupported hack. I can confirm that the Intel Quickassist Technology(QAT) OpenSSL Engine does not support compiling as a static engine against OpenSSL 1.1.0f. As Richard observed there is some legacy code remaining in the engine that would allow it to work as a static engine, but if you wanted to build that way you would need to make modifications to the OpenSSL build system to compile in the engine and then some further code changes for it to use the engine. We purposely left that code in the engine from the previous OpenSSL 1.0.1 engine just in case someone needed a static build but it is untested again OpenSSL 1.1.0. There was a discussion around the feasibility of adding the QAT Engine to the OpenSSL project the other year but it is OpenSSL's direction not to accept new hardware engines into the project as the burden of needing specific hardware and expertise to maintain those engines is too great. Without the engine being part of the main OpenSSL project it is not really feasible to have a static engine as we would need to maintain some sort of OpenSSL patch to make everything work together. Steve Linsell Intel Shannon DCG/CID Software Development Team stevenx.lins...@intel.com -- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] how to static compile ssl engine into openssl
In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local> on Mon, 25 Sep 2017 10:16:28 +, 程文平said: chengwenping1> I’m working on accelerating ssl traffic with Intel QAT chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I chengwenping1> need to static compile Intel QAT engine into openssl, chengwenping1> and I do not find some useful info about it from chengwenping1> Internet, although openssl-1.1.0f/engines/ build.info, chengwenping1> it is not applicable from QAT engine from chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide chengwenping1> line for this case? Unforatunately, there is no such guide that I know of. I just had a look in e_qat.c, and there seems to be support for doing that there (see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use of that in their configuration. If this is what you really want, I suggest you create an issue in the QAT_Engine project... but you probably need to understand that you may not get what you want, and if you do, it's probably going to be an unsupported hack. chengwenping1> There is another alternative to do it, just to alone chengwenping1> compile openssl and nginx, but it will take effort to chengwenping1> deploy it. You mean to have nginx use the shared OpenSSL libraries, which also enables dynamic engines? Yes, that's the usual way to go about these things. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev