others might be having the same problem.
The problem is that the engine code in openssl-engine-0.9.6 is pretty recent
and mod-ssl has yet to add support for it. Ideally there would be a line in
the httpd.conf file to specify what openssl-engine should be used by default,
I'm sure this will be there in future releases :-)
For now you could try the following hack which sets the chil engine as the
default engine to use in mod-ssl.
I'm assuming that
openssl speed -engine chil
works and that you've configured apache to link with the ld library, eg,
edit apache-1.3.12/src/Makefile
by setting
EXTRA_LIBS=-ldl
To get mod-ssl to use chil as the default engine:
Edit apache_1.3.12/src/modules/ssl/mod_ssl.h, just after the line
(line 118) #include <openssl/rand.h>
add
#include <openssl/engine.h>
Edit apache_1.3.12/src/modules/ssl/ssl_engine_init.c, just after the line
(line 329) X509V3_add_standard_extensions();
add
{
/* Lookup the chil engine */
ENGINE *e = ENGINE_by_id("chil");
if( e == NULL )
{
/* Report the error eg.
* fprintf ( stderr, "Couldn't find chil engine" );
*/
return;
}
/* This is vital for the CHIL pluggin to cope with Apache's forking behaviour. */
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
/* Set the chil engine to be the default. */
if( !ENGINE_set_default(e, ENGINE_METHOD_ALL) )
{
/* Report the error eg.
* fprintf ( stderr, "Can't use the chil engine" );
*/
}
ENGINE_free(e);
}
make apache with these changes by typing
make
make install
start apache as usual by typing
bin/apachectl startssl
Let me know how you get on,
Bertie
Thank you for the quick reply.<<<<
Yes, I�m presently using the openssl 0.9.6 (engine version)
I was able to perform some speed test by using the �CHIL� library.
My problem is telling openssl to use that engine by default and integrating this over MODSSL.
Im using mod-ssl 2.6.6 with Apache 1.3.12, I didn�t figure out a way to interface the Mod-SSL using
the CHIL engine by default.
That�s why I was asking if we need to patch openssl (to let him support it by default), or it�s something
That �ModSSL� should handle at the Web application level.
The only thing I could do right now , it�s : ��openssl speed �engine chil
����������������������������������� ��� ���������������or ��openssl speed �engine openssl
and compare the performance results over RSA.
Best Regards.
Sylvain Bolduc
Surefire Commerce Inc.
2 Place Alexis Nihon, Suite 700
3500 Blvd. De Maisonneuve O.
Westmount, Quebec
H3Z 3C1
Courriel: [EMAIL PROTECTED]
Web: www.surefirecommerce.com
Tel��� : (514)380-2700� ext.: 3276
Fax��� : (514)380-2760
-----Original Message-----
From: Adrian Peck [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 29, 2000 5:48 AM
To: Sylvain Bolduc
Cc: [EMAIL PROTECTED]
Subject: Re: OpenSSL v0.9.6 vs nCipher NFAST300 (PCI)
As you say, at the moment we only bundle patches for OpenSSL 0.9.2b and 0.9.4. If you use the 0.9.4 patch on an OpenSSL 0.9.6 directory then you will probably get one or two conflicts which should be obvious to resolve but only if you're a programmer.
A better idea would be to download openssl-engine-0.9.6 from openssl.org. This is essentially the same as openssl-0.9.6 but with extra code written by the openssl team to support the CHIL interface. If you use openssl-engine-0.9.6 then you don't need a patch from nCipher at all, you just need our CHIL shared library which should have been included with the bundled software you received. Note this library needs to be on your library path, eg. set
LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk
By default the OpenSSL utilities won't use the CHIL engine, however they all have a -engine option. So to run s_server using our CHIL library type
openssl s_server -engine chil
If you are using Apache or some other application with OpenSSL then you have to wait for that application to support the openssl engine interface. If you tell me what the application is I might be able to help you with it.
Hope this helps,
Bertie
At 06:14 PM 9/28/00 -0400, Sylvain Bolduc wrote:
>>>>
Greetings, we are presently evaluating you product NFAST300.
We received the board recently from your sales representative.
With the bundled software package, it seems the patch for OpenSSL (for enabling ncipher hw) is for
OpenSSL v.094 or v092b.
We are presently using OpenSSL v.096&
Is there a way to compile OpenSSL 0.9.6 against your patch code ?
I presume we need a new patch code ?
If not, could you tell me which steps are required to make it work with openssl ?
Thanks.
Sylvain Bolduc
Surefire Commerce Inc.
2 Place Alexis Nihon, Suite 700
3500 Blvd. De Maisonneuve O.
Westmount, Quebec
H3Z 3C1
Courriel: [EMAIL PROTECTED]
Web: www.surefirecommerce.com
Tel : (514)380-2700 ext.: 3276
Fax : (514)380-2760
<<<<
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
