Re: engine's performance (what's wrong?)
* Aleix Conchillo Flaque ([EMAIL PROTECTED]) wrote: > hi again, > > as i said yesterday i'm doing some tests with cryptographic hardware (in > my case nCipher's). > > now that i have loaded the engine, i'm getting real strange results. the > same test with hardware enabled is much slower than the software version. > > it is really weird, because the "openssl speed -engine chil" command > seems to be as fast as desired. > > do i have to set something else? is there any documentation on the net? > am i getting more dummy everyday? I've written oodles about this sort of thing in the past - so perhaps a trawl of the archives might turn up enough "documentation" to keep you happy. Of if not happy, at least busy. :-) The short answer(s) are probably as follows, but not having seen your numbers I'm working blind and so you should take this with a pinch of salt. When using hardware, you probably want to use the "-elapsed" flag to "openssl speed". The reason is that by default it will measure CPU usage of the openssl speed command so that the benchmarks are more accurate and resistant to external tasks that might be happening on the host system. However, if the crypto is taking place in hardware, the library representing the hardware is probably spending the majority of time in blocking calls (ioctl() if it talks directly to kernel drivers, though I think ncipher/chil uses select/poll to talk to a privileged daemon process instead?). Anyway, this will seriously mess up the numbers and give wildly overstated estimates. If the program spends most of the time sleeping waiting for responses from hardware, it'll appear that the program used very little CPU time to achieve the crypto operations and so will deduce that if it could have all the CPU time to itself it would be very very fast indeed! Which is nonsense of course. "-elapsed" will simply measure the running time, rather than CPU usage, which (provided you try to keep the system from doing other tasks at the same time) should prove more accurate. If the above is true, that should merely make "openssl speed" say your hardware is as slow as you thought it was from your own test program. As for the reason why that might be the case, here are some possibilities; (1) your crypto hardware could actually be slow, (2) your host system could actually be quite fast in software, (3) your crypto hardware could be highly parallel and your application could be linear (as is certainly the case with "openssl speed"). W.r.t. (3), it may happen that the crypto hardware has a number of internal cryptographic units that it can distribute workload too, such that if you keep providing it with enough crypto operations to do *AT THE SAME TIME*, then the total throughput of operations could be what you were expecting. What this means however is that each individual unit on its own would be perhaps slower than you were expecting. Or put another way, if you have a device claiming to do 1000 RSA operations a second that is internally built out of 10 parallel processing units, then each processing unit itself is probably capable of doing 100 RSA operations a second, ie. 10 milliseconds each. If you only ever give the whole device one operation to do at a time, only one processing unit will be in use at a time, and so your total performance will be that of one unit and not that of all ten. "openssl speed" only does one crypto operation at a time unless you use the "-multi " switch (and it is supported on your version of openssl and host system). Looking briefly at your sample source code, that has the same problem. This is probably what is limiting the performance you are seeing - try executing a few copies of your program at the same time and see what the total performance between them looks like. Regards, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.openssl.org/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Engine Overview
We're specifying (nominally) a SOHO-class accelerator to work with OpenSSL/X86 Linux in an embedded product. We're trying to guess at the development path with the fewest risks/landmines first, and the lowest unit cost second. To this end, I have a few question, 1. Is there a resource summarizing which "engines" are chip-level cryptographic accelerators, and which are board-level products? 2. Is there any planned OpenSSL support for the SafeNet CryptCore 1140? 3. Across all accelerator products, are there any particular engines that have a significant lead in terms of OpenSSL user base? Thanks! James Dabbs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
engine's performance (what's wrong?)
hi again, as i said yesterday i'm doing some tests with cryptographic hardware (in my case nCipher's). now that i have loaded the engine, i'm getting real strange results. the same test with hardware enabled is much slower than the software version. it is really weird, because the "openssl speed -engine chil" command seems to be as fast as desired. do i have to set something else? is there any documentation on the net? am i getting more dummy everyday? thanks in adavace. regards, aleix here is the code (enable hardware passing 'enable' as first parameter: #include #include #include #include #include #include #include ENGINE* setup(char const* engine) { ENGINE* e = NULL; if ((e = ENGINE_by_id(engine)) == NULL) { return NULL; } // if engine was not found try to load the shared library if (e == NULL) { e = ENGINE_by_id("dynamic"); if ((e == NULL) || !ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { ENGINE_free(e); e = NULL; } } return e; } ENGINE* load(char const* engine) { ENGINE* e = setup(engine); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { ENGINE_free(e); return NULL; } ENGINE_free(e); return e; } int main(int argc, char** argv) { time_t t_start; time_t t_end; RSA* k; ENGINE* e = NULL; unsigned int i; unsigned char* buf; unsigned char* buf2; unsigned int rsa_num; CRYPTO_malloc_init(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); if ((argc > 1) && strcmp(argv[1], "enable") == 0) { ENGINE_load_builtin_engines(); e = load("chil"); } if (e == NULL) { printf("Hardware disabled.\n"); } else { printf("Hardware enabled.\n"); } k = RSA_generate_key(1024, 65537, NULL, NULL); buf = (unsigned char*) malloc(5000); buf2 = (unsigned char*) malloc(5000); t_start = time(NULL); for (i = 0; i < 1500; i++) { RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, k); } t_end = time(NULL); printf("Total time: %d sec.\n", t_end - t_start); EVP_cleanup(); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Queries on SubjAltName
On Tue, 28 Jan 2003, Kiyoshi WATANABE wrote: > > > Any pointers on how to generate certificates using SubjAltName extension. > > > > > > > As with all extensions doc/openssl.txt > > Many people including me are asking the similar questions. Do you > think that it is a good idea to mention about this document in > openssl.cnf file as a comment? Second the motion. Also, "openssl.txt" is a rather obscure name considering that the document is narrowly focused on two aspects of the package. Shouldn't it be split into "X509V3-extensions.txt" and "PKCS12-library.txt" or something like that? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of "user". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: renegotiation in 0.9.7
On Mon, Jan 27, 2003 at 03:21:45PM -, Nigel Spowage wrote: > okay, so the proper way to renegotiate a connection is : > > 1 - call SSL_renegotiate() > 2 - call SSL_do_handshake() > 3 - wait for either > 3a- SSL_renegotiate_pending() to return 0, or > 3b- an acceptable amount of time (which means rengotiation has failed) > 4 - call SSL_renegotiate() > 5 - call SSL_do_handshake() > > is that right ? SSL_renegotiate() will just set internal flags that tell SSL_do_handshake() to renegotiate, so you will not have to call SSL_renegotiate multiple times; but you may have to repeat the calls to SSL_do_handshake(), which does the actual work. Use SSL_get_error() (as described on its manpage) to find out when SSL_do_handshake() has finished. You do not have to check the return value of SSL_renegotiate_pending() unless you want to be really sure that an actual renegotiation has taken place -- in some cases, if one party requests a renegotiation, the other party can simply ignore this request. (If SSL_renegotiate_pending() returns non-zero, this does necessarily not mean that calling SSL_do_handshake() again will accomplish anything; maybe you're done and the question is just whether the other party will comply with the request for renegotiation.) -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: enabling engines (solved)
Aleix Conchillo Flaque <[EMAIL PROTECTED]> writes: > > ENGINE* > setup(char const* engine) > { > if (::ENGINE_by_id(engine) == NULL) > { > return NULL; > } > > ENGINE* e = ::ENGINE_by_id("dynamic"); > if (e) > { > if (!::ENGINE_ctrl_cmd_string(e, "SO_PATH", engine.c_str(), 0) > || !::ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) > { > // fails in here > e = NULL; > } > } > return e; > } > i found the error. by the way, a dummy one. ENGINE_by_id already loads the shared library, so the function should look like this: ENGINE* setup(std::string const& engine) { ENGINE* e = NULL; if ((e = ::ENGINE_by_id(engine.c_str())) == NULL) { return NULL; } std::string err; // if engine was not found try to load the shared library if (e == NULL) { e = ::ENGINE_by_id("dynamic"); if ((e == NULL) || !::ENGINE_ctrl_cmd_string(e, "SO_PATH", engine.c_str(), 0) || !::ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { err = "Unable to load engine dynamic library: " + engine; ::ENGINE_free(e); e = NULL; } } if (e == NULL) { throw engine_exception(err); } return e; } regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client authentication
On Tue, Jan 28, 2003 at 11:38:25AM +0530, Chandrasekhar R S wrote: > In my server program, I use SSL_CTX_set_verity(ctx, SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0) to mandate that client cert should be > present. > If present, I use SSL_get_peer_certificate(ssl) to retrieve the client cert. > > In my client program, I use : > > SSL_CTX_use_certificate_file(CTX,CERTF,SSL_FILETYPE_PEM) > SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) > > calls to load a cert and a key into the client. Use SSL_CTX_check_private_key() to check the correct initialization of the keys. > But, everytime, I run the client and the server, the server complains that > client hasn't presented a cert. Is something else, needs to be done to get > a client cert to the server. Download ssldump from Eric's site and analyze the traffic to see: * whether the client certificate is indeed requested * whether the client does send its certificate or not. > I am using openssl-0.9.7 on HPUX (Unix) systems. I can assure you that it does work on HP-UX :-) serv01 21: uname -a HP-UX serv01 B.10.20 A 9000/780 2002495176 two-user license Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rep:Client authentication
Hi, Did you give the location of your trusted CA certificates using SSL_CTX_load_verify_locations( ...) ? It's problably not the problem but you did not talk about that... Best regards, Jipé -Message d'origine- De: "Chandrasekhar R S" <[EMAIL PROTECTED]> A: <[EMAIL PROTECTED]> Date: 28/01/03 Objet: Client authentication I am to authenticate a client using his certificate. In my server program, I use SSL_CTX_set_verity(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0) to mandate that client cert should be present. If present, I use SSL_get_peer_certificate(ssl) to retrieve the client cert. In my client program, I use : SSL_CTX_use_certificate_file(CTX,CERTF,SSL_FILETYPE_PEM) SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) calls to load a cert and a key into the client. This is from the documentation I found, from Eric Rescorla's "An introduction to OpenSSL programming" notes. But, everytime, I run the client and the server, the server complains that client hasn't presented a cert. Is something else, needs to be done to get a client cert to the server. I am using openssl-0.9.7 on HPUX (Unix) systems. thankful for any help in this regard. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _ GRAND JEU SMS : Pour gagner un NOKIA 7650, envoyez le mot IF au 61321 (prix d'un SMS + 0.35 euro). Un SMS vous dira si vous avez gagné. Règlement : http://www.ifrance.com/_reloc/sign.sms __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]