Hi there,
On Thu, 31 May 2001, James Bromberger wrote:
> > > I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
> > > Sun ships a library called "libswift.so" (a link to "libswift.so.5.2.2"),
> > > along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
> > > iPlanet (cryptoki.jar, libcryptoki22.so).
> > >
> <chomp>
> > > > 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request
> > > > failed:hw_cswift.c:524:CryptoSwift error number is -10004
> > > > 1 1024 bit private RSA's in 0.90s
> > > > Doing 1024 bit public rsa's for 10s: RSA verify failure
> > > > 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request
> > > > failed:hw_cswift.c:413:CryptoSwift error number is -10004
> > > > 1 1024 bit public RSA's in 0.71s
> <chomp>
>
> The above errors were with the engine "cswift". The following is the output
> from the speed test without the engine, which completed with no error messages
> being displayed (which is why I chomped it first time around; see below for a
> complete output).
Yep - it's just that, as you can see from that output, only 1 private RSA
operation took place (and that was probably the one that failed too so in fact
no successful operations took place). Hence the stats really can be disregarded
- something is failing more fundamentally. [NB: See below, as I worked through
your mail, I started to wonder if in fact this was the case]
> The second output is re-run and quoted in full below:
>
> > # ./openssl speed rsa1024
> > Doing 1024 bit private rsa's for 10s: 349 1024 bit private RSA's in 10.20s
> > Doing 1024 bit public rsa's for 10s: 6402 1024 bit public RSA's in 10.00s
> > OpenSSL 0.9.6a [engine] 5 Apr 2001
> > built on: Wed May 30 12:44:49 WST 2001
> > options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int)
>blowfish(ptr)
> > compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -> DB_ENDIAN -DBN_DIV2W -DULTRASPARC
>-DMD5_ASM
> > sign verify sign/s verify/s
> > rsa 1024 bits 0.0287s 0.0016s 34.8 640.2
Weird, something is screwy in your version of speed ... the tests do run
(successfully) for 10s, and the sign/s and verify/s stats are right, but the
timings for sign/verify are wrong (should be 10.20s and 10.00s, not 0.0***).
That reminds me, the BIGNUM performance of the software implementation on sparc
is *lame* ... any sparc assembly wizards out there?
> > Yes, for the "openssl ***" commands (such as speed, s_client, etc), you use the
> > "-engine <id>" switch to specify an engine. There is also an "openssl engine"
> > command for listing (and if you want, testing) the engines available.
>
> I tried the "engine" option to get a listing:
>
> > # ./openssl engine
> > openssl:Error: 'engine' is an invalid command.
Ah ... maybe it's not in your version of OpenSSL. Sorry.
> If you specify -engine with no engine specified, it says just as much... "no
> engine given".
Yeah, you need to specify "-engine <id>", ie. in your case; "-engine cswift"
> > I'd
> > recommend playing with that until you can see that openssl-based apps are using
> > your card OK, and only then start worrying about "speed" (which is obviously
> > less help in testing that the hardware is working).
>
> Speed isn't really what I want; using the card is. The OpenSSL speed test was
> just a way of trying to determine if the lower layer in the whole Apache +
> mod_ssl + OpenSSL + crypto card are working.
Yeah ... FYI: Even once this is up and running, you'll probably still find
"speed" purporting errors because sparcs + cswift (IIRC) bail out of any
in-progress operations with an error when a timer interrupt arrives (which is
how speed works). However, you'd still see hundreds of operations succeeding
before that failure - right now you are seeing nothing really. At least that's
what it seems...
Try running s_server with the engine, eg.
openssl s_server -accept 9001 -cert <cert.pem> -CAfile <cacert.pem> \
-engine cswift -www
where "cert.pem" and "cacert.pem" would be changed to refer to the server cert
and the CA cert of your modssl installation. If the private key is stored
outside the cert file, you'll need to add "-key <key.pem>" as well.
Then you should be able to hit it with a browser (https://localhost:9001/) or
s_client if you want more info;
openssl s_client -connect localhost:9001 -CAfile <cacert.pem>
(then type "GET /" followed by [ENTER])
> > For other applications (eg. mod_ssl, Apache-SSL, mail-server embellishments,
> > etc) you'll have to see what support, if any, they have for doing the same
> > thing. OpenSSL has to be instructed to use a given ENGINE - and it's possible to
> > have multiple ENGINEs in use at the same time for different roles and/or keys,
> > so it's not sufficient for openssl to just try and "pick" an ENGINE par default.
> > (Also, given it's generally *other* applications using the openssl libraries,
> > it's not a good idea to take control away from the application developer of such
> > things.)
>
>
> Eeek. I haven't seen anything for mod_ssl to use a specific ENGINE; can
> someone please point me to some doco on this?
"SSLCryptoDevice", IIRC. I believe you need to compile mod_ssl with
SSL_EXPERIMENTAL as Ralf is leaving the device support as 'experimental' until
the next release of OpenSSL contains ENGINE support par default (0.9.6 is
released in a 'standard' and an 'engine' version separately).
> Well, I have the "cstest" binary that Sun ships, which probes the card and
> tells it's state. It reports the number of interrupts attempted & serviced and
> the number of requests attempted & serviced. My speed tests with the engine
> enabled do increment this, Below is a paste from the output of "cstest":
>
> > "$ ./cstest
> > " API Version: 5.2.2
> > "" Driver Version: 2.1.3
> > "" Accelerators: 1
[snip]
>
> Interestingly, every time I run "cstest", both the number of interrupts and
> the requests are all incremented by two; I assume probing the driver and card
> is what is doing this. (Kind of like quantum physics, you can see what state
yup - I recall this from the old days (when I last used one of these cards
myself).
> is WAS in, but not what state it IS in). Doing a "openssl speed rsa1024
> -engine cswift" is incrementing these numbers by big chunks. I ran te speed
> test straight after I took the above output, and then re-ran "cstest", and
> these numbers are now around 203,898, but the two error messages regarding
> CSWIFT_MOD_EXP_CRT and CSWIFT_MOD_EXP remained, and the timings returned for
> timings still were bad.
Hell, that's adding a few thousand driver operations to the total - I'm guessing
that perhaps the card *is* performing operations but the final failure is
screwing up "speed". When using the engine, does speed seem to run for 10 or so
seconds twice or do the failures happen immediately upon running it? If the
former, it's probably working up until the timer and speed is just misreporting
things. If that's the case, you should find "s_server" (and others, such as
mod_ssl) work fine with the card.
Good luck,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
