Re: [openssl-dev] how to static compile ssl engine into openssl

2017-10-11 Thread Paul Yang 

> On 26 Sep 2017, at 18:13, 程文平 <chengwenpi...@jd.com 
> <mailto:chengwenpi...@jd.com>> wrote:
> 
> There is some more info.
> 
> https://github.com/01org/QAT_Engine/issues/9 
> <https://github.com/01org/QAT_Engine/issues/9>

Interesting. This issue was created by me last year, seems some people still 
struggling with combination of NGINX+OpenSSL+QAT.

Our solution is just to build OpenSSL dynamically with NGINX (although usually 
most Chinese companies I know like to build OpenSSL statically with NGINX).

> 
> -邮件原件-
> 发件人: 程文平 
> 发送时间: 2017年9月26日 17:43
> 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org>
> 主题: 答复: [openssl-dev] how to static compile ssl engine into openssl
> 
> Hi Richard,
> 
>   Thanks for your response. From your meaning, the QAT engine codes is 
> not applicable for static compile into openssl.
>   Yes, I should keep to run nginx using shared OpenSSL libraries with 
> dynamic QAT engines installed, until QAT engine static compiling is support.
> 
>   Thank,
> 
>   Nick Cheng
> -邮件原件-
> 发件人: openssl-dev [mailto:openssl-dev-boun...@openssl.org 
> <mailto:openssl-dev-boun...@openssl.org>] 代表 Richard Levitte
> 发送时间: 2017年9月26日 13:32
> 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org>
> 主题: Re: [openssl-dev] how to static compile ssl engine into openssl
> 
> In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local 
> <mailto:31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local>> on 
> Mon, 25 Sep 2017 10:16:28 +, 程文平 <chengwenpi...@jd.com 
> <mailto:chengwenpi...@jd.com>> said:
> 
> chengwenping1> I’m working on accelerating ssl traffic with Intel QAT 
> chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I 
> chengwenping1> need to static compile Intel QAT engine into openssl, and 
> chengwenping1> I do not find some useful info about it from Internet, 
> chengwenping1> although openssl-1.1.0f/engines/ build.info 
> <http://build.info/>, it is not 
> chengwenping1> applicable from QAT engine from 
> chengwenping1> https://github.com/01org/QAT_Engine 
> <https://github.com/01org/QAT_Engine>. Is there a guide 
> chengwenping1> line for this case?
> 
> Unforatunately, there is no such guide that I know of.  I just had a look in 
> e_qat.c, and there seems to be support for doing that there (see the sections 
> guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use 
> of that in their configuration.
> 
> If this is what you really want, I suggest you create an issue in the 
> QAT_Engine project...  but you probably need to understand that you may not 
> get what you want, and if you do, it's probably going to be an unsupported 
> hack.
> 
> chengwenping1> There is another alternative to do it, just to alone 
> chengwenping1> compile openssl and nginx, but it will take effort to 
> chengwenping1> deploy it.
> 
> You mean to have nginx use the shared OpenSSL libraries, which also enables 
> dynamic engines?  Yes, that's the usual way to go about these things.
> 
> Cheers,
> Richard
> 
> -- 
> Richard Levitte levi...@openssl.org <mailto:levi...@openssl.org>
> OpenSSL Project http://www.openssl.org/~levitte/ 
> <http://www.openssl.org/~levitte/>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev 
> <https://mta.openssl.org/mailman/listinfo/openssl-dev>
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev 
> <https://mta.openssl.org/mailman/listinfo/openssl-dev>
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] how to static compile ssl engine into openssl

2017-10-11 Thread Paul Yang 

> On 26 Sep 2017, at 18:13, 程文平 <chengwenpi...@jd.com 
> <mailto:chengwenpi...@jd.com>> wrote:
> 
> There is some more info.
> 
> https://github.com/01org/QAT_Engine/issues/9 
> <https://github.com/01org/QAT_Engine/issues/9>

Interesting. This issue was created by me last year, seems some people still 
struggling with combination of NGINX+OpenSSL+QAT.

Our solution is just to build OpenSSL dynamically with NGINX (although usually 
most Chinese companies I know like to build OpenSSL statically with NGINX).

> 
> -邮件原件-
> 发件人: 程文平 
> 发送时间: 2017年9月26日 17:43
> 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org>
> 主题: 答复: [openssl-dev] how to static compile ssl engine into openssl
> 
> Hi Richard,
> 
>   Thanks for your response. From your meaning, the QAT engine codes is 
> not applicable for static compile into openssl.
>   Yes, I should keep to run nginx using shared OpenSSL libraries with 
> dynamic QAT engines installed, until QAT engine static compiling is support.
> 
>   Thank,
> 
>   Nick Cheng
> -邮件原件-
> 发件人: openssl-dev [mailto:openssl-dev-boun...@openssl.org 
> <mailto:openssl-dev-boun...@openssl.org>] 代表 Richard Levitte
> 发送时间: 2017年9月26日 13:32
> 收件人: openssl-dev@openssl.org <mailto:openssl-dev@openssl.org>
> 主题: Re: [openssl-dev] how to static compile ssl engine into openssl
> 
> In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local 
> <mailto:31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local>> on 
> Mon, 25 Sep 2017 10:16:28 +, 程文平 <chengwenpi...@jd.com 
> <mailto:chengwenpi...@jd.com>> said:
> 
> chengwenping1> I’m working on accelerating ssl traffic with Intel QAT 
> chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I 
> chengwenping1> need to static compile Intel QAT engine into openssl, and 
> chengwenping1> I do not find some useful info about it from Internet, 
> chengwenping1> although openssl-1.1.0f/engines/ build.info 
> <http://build.info/>, it is not 
> chengwenping1> applicable from QAT engine from 
> chengwenping1> https://github.com/01org/QAT_Engine 
> <https://github.com/01org/QAT_Engine>. Is there a guide 
> chengwenping1> line for this case?
> 
> Unforatunately, there is no such guide that I know of.  I just had a look in 
> e_qat.c, and there seems to be support for doing that there (see the sections 
> guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use 
> of that in their configuration.
> 
> If this is what you really want, I suggest you create an issue in the 
> QAT_Engine project...  but you probably need to understand that you may not 
> get what you want, and if you do, it's probably going to be an unsupported 
> hack.
> 
> chengwenping1> There is another alternative to do it, just to alone 
> chengwenping1> compile openssl and nginx, but it will take effort to 
> chengwenping1> deploy it.
> 
> You mean to have nginx use the shared OpenSSL libraries, which also enables 
> dynamic engines?  Yes, that's the usual way to go about these things.
> 
> Cheers,
> Richard
> 
> -- 
> Richard Levitte levi...@openssl.org <mailto:levi...@openssl.org>
> OpenSSL Project http://www.openssl.org/~levitte/ 
> <http://www.openssl.org/~levitte/>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev 
> <https://mta.openssl.org/mailman/listinfo/openssl-dev>
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev 
> <https://mta.openssl.org/mailman/listinfo/openssl-dev>
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] how to static compile ssl engine into openssl

2017-09-26 Thread Richard Levitte 
In message <20170926203053.5hlfcbx273lko...@roeckx.be> on Tue, 26 Sep 2017 
22:30:53 +0200, Kurt Roeckx  said:

kurt> On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote:
kurt> > 
kurt> > You mean to have nginx use the shared OpenSSL libraries, which also
kurt> > enables dynamic engines?  Yes, that's the usual way to go about these
kurt> > things.
kurt> 
kurt> Do we support dynamic engines with a static build?

No we don't.  no-shared means no-dynamic-engine

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] how to static compile ssl engine into openssl

2017-09-26 Thread Kurt Roeckx 
On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote:
> 
> You mean to have nginx use the shared OpenSSL libraries, which also
> enables dynamic engines?  Yes, that's the usual way to go about these
> things.

Do we support dynamic engines with a static build?


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] how to static compile ssl engine into openssl

2017-09-26 Thread Linsell, StevenX 
On 26/09/2017, Levitte, Richard via openssl-dev wrote:
> 
> chengwenping1> I?m working on accelerating ssl traffic with Intel QAT
> chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
> chengwenping1> need to static compile Intel QAT engine into openssl, and
> chengwenping1> I do not find some useful info about it from Internet,
> chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not
> chengwenping1> applicable from QAT engine from
> chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
> chengwenping1> line for this case?
> 
> Unforatunately, there is no such guide that I know of.  I just had a look in
> e_qat.c, and there seems to be support for doing that there (see the
> sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any
> way to make use of that in their configuration.
> 
> If this is what you really want, I suggest you create an issue in the
> QAT_Engine project...  but you probably need to understand that you may
> not get what you want, and if you do, it's probably going to be an
> unsupported hack.

I can confirm that the Intel Quickassist Technology(QAT) OpenSSL Engine 
does not support compiling as a static engine against OpenSSL 1.1.0f.
As Richard observed there is some legacy code remaining in the engine 
that would allow it to work as a static engine, but if you wanted to build
that way you would need to make modifications to the OpenSSL build
system to compile in the engine and then some further code changes 
for it to use the engine. We purposely left that code in the engine from
the previous OpenSSL 1.0.1 engine just in case someone needed a static
build but it is untested again OpenSSL 1.1.0.
There was a discussion around the feasibility of adding the QAT Engine 
to the OpenSSL project the other year but it is OpenSSL's direction not to 
accept new hardware engines into the project as the burden of needing
specific hardware and expertise to maintain those engines is too great.   
Without the engine being part of the main OpenSSL project it is not really 
feasible to have a static engine as we would need to maintain some sort
of OpenSSL patch to make everything work together. 

Steve Linsell Intel Shannon DCG/CID Software 
Development Team
stevenx.lins...@intel.com
 
--
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] how to static compile ssl engine into openssl

2017-09-25 Thread Richard Levitte 
In message <31F771DF13463A429610AEEBF6AFAE820182EBC4@mbx14.360buyAD.local> on 
Mon, 25 Sep 2017 10:16:28 +, 程文平  said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
chengwenping1> need to static compile Intel QAT engine into openssl,
chengwenping1> and I do not find some useful info about it from
chengwenping1> Internet, although openssl-1.1.0f/engines/ build.info,
chengwenping1> it is not applicable from QAT engine from
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a
look in e_qat.c, and there seems to be support for doing that there
(see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't
see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the
QAT_Engine project...  but you probably need to understand that you
may not get what you want, and if you do, it's probably going to be an
unsupported hack.

chengwenping1> There is another alternative to do it, just to alone
chengwenping1> compile openssl and nginx, but it will take effort to
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also
enables dynamic engines?  Yes, that's the usual way to go about these
things.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev