Hi Grant, >> >> I'm not sure that the issue is related to your patch, i may reach an issue >> int QAT engine >> >> I've made some test using openssl s_server. >> >> Doing a curl request shows this error: >> [root@centos bin]# ./openssl s_server -accept 9443 -engine qat -cert >> /root/2048.pem >> ERROR >> 140267076605760:error:1408F119:SSL routines:ssl3_get_record:decryption >> failed or bad record mac:ssl/record/ssl3_record.c:602: >> shutting down SSL >> CONNECTION CLOSED >> >> And using the haproxy as client also fails with this error: >> 140267076605760:error:800910C8:lib(128):qat_rsa_priv_enc:rsa from to >> null:qat_rsa.c:917: >> 140267076605760:error:141EC044:SSL >> routines:tls_construct_server_key_exchange:internal >> error:ssl/statem/statem_srvr.c:2453: >> shutting down SSL >> CONNECTION CLOSED >> >> R, >> Emeric > > Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the > following patch: > http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b > > > If not, could you please give a try? > > Thanks, > > Grant > >
To keep you informed: We fixed my qat engine configuration and the second error is gone. But i still notice 'bad record' errors if the client uses opensslv1.1 or gnutls. There is no issue if the client uses opensslv1.0.x Same error using the engine with haproxy or openssl s_server. So the problem is not on your side. R, Emeric
