Hi Grant,
On 03/15/2017 12:46 PM, Emeric Brun wrote:
> Hi Grant,
>
> On 03/15/2017 12:05 PM, Emeric Brun wrote:
>> Hi Grant,
>>
>> On 02/04/2017 12:55 AM, Grant Zhang wrote:
>>> This patch set adds the basic support for OpenSSL crypto engine and
>>> async mode.
>>>
>>> Changes since V2:
>>> - support keyword "algo"
>>> - ensure SSL engines are initialized before loading certs.
>>> - limit one async fd per SSL connection
>>> - better integrate with event cache
>>>
>>> Changes since V1:
>>> - add multiple engine support
>>> - allow default algorithms to be specified for an engine
>>> - remove the support for engine identifier "all" since (a) it is not
>>> possible
>>> to specify default algorithms for all engine and (b) "all" makes it hard
>>> to
>>> figure out what engine does what crypto algorithms.
>>> - address Willy's other comments.
>>>
>>
>
> An other issue:
>
> i'm using that configuration:
>
> global
> ssl-engine qat algo RSA
> ssl-async
> tune.ssl.default-dh-param 2048
>
> listen ss
> mode tcp
> bind 0.0.0.0:8080
> server ssl 127.0.0.1:8443 ssl no-ssl-reuse verify none
>
> listen gg
> mode http
> bind 0.0.0.0:8443 ssl crt /root/2048.pem
> redirect location /
>
> Unable to perform a clear request through 8080. There is no is issue if i
> disable the engine or if i request directly in ssl on 8443.
>
> R,
> Emeric
>
There is some inconsistencies between the engine and the used client:
here the conf:
global
tune.ssl.default-dh-param 2048
ssl-engine qat
ssl-async
listen gg
mode http
bind 0.0.0.0:8443 ssl crt /root/2048.pem
redirect location /
openssl s_client -connect performs well but curl failed:
emeric@ebr-laptop:~/inject$ curl -k https://10.0.0.109:8443/
curl: (35) gnutls_handshake() failed: Bad record MAC
If I comment the ssl-engine line, no more issue.
R,
Emeric
the conf:
