I was thinking, and perhaps wrongly for versions prior to apache 2, that
modules required openssl be shared, but, earlier mod-ssl based versions I
do not think were so limited, being how they were built with ssl support.
I'm pretty sure, and others will correct me if I'm wrong that openssl, the
engine version, is the part that enables cryto devices <accelerator
cards>, and the documentation for it should define those devices it
supports;
This is from the README.ENGINE file for openssl-engine-0.9.6b/, note that
this is not the most current version, and 0.9.6d might well have new
device support:
<quote>
ENGINE
======
With OpenSSL 0.9.6, a new component has been added to support external
crypto devices, for example accelerator cards. The component is called
ENGINE, and has still a pretty experimental status and almost no
documentation. It's designed to be faily easily extensible by the
calling programs.
There's currently built-in support for the following crypto devices:
o CryptoSwift
o Compaq Atalla
o nCipher CHIL
...
No external crypto device is chosen unless you say so. You have
actively tell the openssl utility commands to use it through a new
command line switch called "-engine". And if you want to use the ENGINE
library to do something similar, you must also explicitely choose an
external crypto device, or the built-in crypto routines will be used,
just as in the default OpenSSL distribution.
PROBLEMS
========
It seems like the ENGINE part doesn't work too well with Cryptoswift on
Win32. A quick test done right before the release showed that trying
"openssl speed -engine cswift" generated errors. If the DSO gets
enabled, an attempt is made to write at memory address 0x00000002.
</quote>
Unfortunately, the documentation on the engine directives is fairly poor
and sparse.
If I recall, others have used such devices with the engine version and may
well beable to help you more then I can at present. They should respond a
tad later in the day as the sun rises near their locations <smile>.
Sorry I'm not of more help here.
Thanks,
Ron DuFresne
On Fri, 28 Jun 2002, James Bromberger wrote:
>
> Thanks Ron... I just did this, and there was no change -- it still
> doesn't like this directive:
> Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> or defined by a module not included in the server configuration
>
> My build was effectively:
> cd openssl* && sh config -fPIC -DSSL_EXPERIMENTAL shared && make
> && cd ..
> cd mm-1.1.3 && ./configure --disable-shared && make && cd ..
> cd mod_ssl-2.8.10-1.3.26 && ./configure
> --with-apache=../apache_1.3.26 \
> --with-ssl=../openssl-engine-0.9.6d \
> --with-mm=../mm-1.1.3 \
> --enable-rule=SSL_EXPERIMENTAL \
> --enable-module=ssl \
> --prefix=/usr/local/apache --enable-shared=ssl \
> --enable-module=most \
> --enable-shared=max --enable-module=so && cd ..
> cd apache_1.3.26 && make && make install
> package-root=`pwd`/package-root
>
>
> The difference I am doing is removing the "--enable-shared=ssl" and
> "--enable-shared=max", and then it works (as a static).
>
> Thanks,
>
> James
> >>> [EMAIL PROTECTED] 06/28/02 01:45pm >>>
>
> It might depend upon how you compliled openssl, was it compiled shared
> also?
>
> Thanks,
>
> Ron DuFresne
>
>
> On Fri, 28 Jun 2002, James Bromberger wrote:
>
> > Hey people.
> >
> > I have been running fine with Apache + Mod_SSL under Solaris with
> > everything working fine. I am now recompiling to Apache 1.3.26,
> Mod_SSL
> > 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much
> the
> > default, except for just above the SSLPassPhraseDialog (around line
> > 1090) where I have:
> > SSLCryptoDevice cswift
> >
> > (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a
> > Netra T1, on Solaris 8)
> >
> >
> > There are two compiles I have done: one where I have done everything
> as
> > a static, and one where it is DSO. When static, I removed my
> LoadModules
> > and AddModules, and of course, when as a DSO, I add these back in.
> ALl
> > pretty straight forward.
> >
> > When I use static, my hardware crypto is working and everything is
> > wonderful. Birds sing, etc...
> >
> > When I go DSO and then `apachectl configtest`:
> >
> > Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> > or defined by a module not included in the server configuration
> >
> > Which is odd, because all the other SSL directives are OK. If I do a
> > `strings libexec/libssl.so` then I can see that the SSLCryptoDevice
> is
> > mentioned in the module, however using mod_info, it is not mentioned
> > against mod_ssl as being available.
> >
> > Does anyone know what is going on here? Why would this work fine as
> a
> > static, and not as a DSO? This was working with earlier versions
> (1.3.20
> > & 2.8.4 & 0.9.6b).
> >
> > Any help appreciate.
> >
> > James
> >
> >
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
