Hello,
we have an SCA6000 crypto accelerator card running on Solaris 10
(Generic_141445-09):
Device Info:
* Hardware Version: 1.5.50
* Bootrom Version : 1.0.10
* Firmware Version: 1.1.2
Hashing algorithms are disabled on the card.
Apache and mod_ssl works fine with either prefork and worker model. RSA
and AES operations are offloaded to the card, the kstat rsa* and aes*
counters increase as expected.
We intend to use SSL offloading with pound, a multi-threaded
loadbalancer, though (www.apsis.ch/pound/). I tested pound with both
OpenSSL v0.9.7d from Sun and v0.9.8l with pkcs#11 patch from
openssl.org, both times with the same problem:
With a standard pound install the following happens:
$ openssl s_client -connect 192.168.100.50:443
CONNECTED(00000003)
...
verify error:num=21:unable to verify the first certificate
verify return:1
2617:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
mac:s3_pkt.c:1061:SSL alert number 20
2617:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Pound complains that "BIO_do_handshake with 192.168.2.96 failed:
error:8008C076:lib(128):PK11_GET_CIPHER_KEY:C_CreateObject failed".
The only way I can get pound to work is to remove the
ENGINE_METHOD_CIPHERS from the engine's default methods:
--- a/config.c Thu Dec 3 16:25:49 2009
+++ b/config.c Thu Dec 3 16:26:08 2009
@@ -1134,7 +1134,7 @@
logmsg(LOG_ERR, "line %d: could not init %s engine", n_lin,
lin + matches[1].rm_so);
exit(1);
}
- if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL &
~ENGINE_METHOD_CIPHERS)) {
ENGINE_free(e);
logmsg(LOG_ERR, "line %d: could not set all defaults", n_lin);
exit(1);
Asymmetric encryption is offloaded to the card now and I can establish
an SSL connection with the loadbalancer, but at the cost of having
symmetric encryption done at the software level.
Searching for some clues I only found #6540060 "race in pkcs#11 engine
in multithreaded environment", which is is reported fixed in
solaris_nevada(snv_66) and solaris_10u6(s10u6_05).
I don't see what's happening here, so any help is greatly appreciated.
Best regards,
Flo
