> On Mar 21, 2017, at 06:56, Emeric Brun <[email protected]> wrote: > > Hi Grant, > >>> >>> I'm not sure that the issue is related to your patch, i may reach an issue >>> int QAT engine >>> >>> I've made some test using openssl s_server. >>> >>> Doing a curl request shows this error: >>> [root@centos bin]# ./openssl s_server -accept 9443 -engine qat -cert >>> /root/2048.pem >>> ERROR >>> 140267076605760:error:1408F119:SSL routines:ssl3_get_record:decryption >>> failed or bad record mac:ssl/record/ssl3_record.c:602: >>> shutting down SSL >>> CONNECTION CLOSED >>> >>> And using the haproxy as client also fails with this error: >>> 140267076605760:error:800910C8:lib(128):qat_rsa_priv_enc:rsa from to >>> null:qat_rsa.c:917: >>> 140267076605760:error:141EC044:SSL >>> routines:tls_construct_server_key_exchange:internal >>> error:ssl/statem/statem_srvr.c:2453: >>> shutting down SSL >>> CONNECTION CLOSED >>> >>> R, >>> Emeric >> >> Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the >> following patch: >> http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b >> >> >> If not, could you please give a try? >> >> Thanks, >> >> Grant >> >> > > To keep you informed: > > We fixed my qat engine configuration and the second error is gone. > > But i still notice 'bad record' errors if the client uses opensslv1.1 or > gnutls. > > There is no issue if the client uses opensslv1.0.x > > Same error using the engine with haproxy or openssl s_server. So the problem > is not on your side. > > R, > Emeric
Hey Emeric, Thank you very much for the information. Hopefully the s_server + qat issue could be addressed soon. Regards, Grant
