Hi there,
Can you please unsubscribe anyone who posts on this subject again.
The participants should long ago have taken this debate off list.
It's degenerated into a discussion without any value whatsoever.
Kind regards
-paul
___
Hi
Can I ask exactly why you want two processes to share the same session?
I am working on an ssl offloading application which acts as an SSL terminator
and spits out plain-text HTML to several machines over which it can
load balance.
It works well, and it starts multiple processes - but at not t
Can I ask what projects are shouting: "we desperately need
MDC-2 in order to support XYZ protocol - please enable."
Also, a question from me: what is the criteria for including an
algorithm? At first glance it looks like OpenSSL contains a lot
of ciphers that nobody ever (?) uses.
Can people answ
This code has the comment
/* HACK - use text I/O functions in openssl and GMP to handle conversions. This
* is vile. */
I fixed this with the attached patch.
Not sure if we would really want to support all the permutations of
limb sizes differing between OpenSSL and GMP
Here I only support t
Is anyone maintaining the GMP engine?
Just linked in libgmp/ENGINE_load_gmp() and was quite amazed.
This is an old 450Mhz single-cpu box running Solaris 10 64-bit.
Libgmp engine benchmarks at 75 new ssl connections per second, but
regular OpenSSL can do only 24 per second. Thats a massive improve
no I meant that I am already getting 2000/sec on the *server*.
By my calculations I should be able to get 3000/sec on the server
with the optimizations I want to do.
> 2000/sec is a good place to be, on a client. Expect less on a
> server, unfortunately.
>
> > I replaced OPENSSL_cleanse() {...}
Hi,
I have a BMC5825 card from Silicom that is supposed to do over
10'000 rsa per second.
In practice Proto Balance can do about 1900 fresh SSL connections
per second, on an Intel Core2 Duo 2.2Ghz. But I think more work
can vastly improve this.
(Without the card I get about 700 per second - thus
> So you had a bug in your code. So what?
No bug - read this:
http://www.unix.org/version2/whatsnew/threadspaper.ps :
Registration of fork handlers (pthread_atfork( )). The fork handlers are
routines that are to
be executed in association with calls to the fork( ) function. There are
three c
>
>
> I find it hard to believe that there exists a platform where:
>
On FreeBSD/OpenBSD my program outright core dumped and I could not
figure out why for days and days. Now I have two separate builds - one built
with "-D_REENTRANT -DTHREADS ... -lpthread" and one without.
Only with Linux do you
> The answer is that if you're compiled single-threaded, it's perfectly
legal.
> If you're multi-threaded, it's not.
err, nobody codes like this
find me an example in real-life code that is being used.
better yet, find me an example in OpenSSL.
Your other points I agree with however.
> > Let's
> This behavior, by itself, does not necessary guarantee
> that your OpenSSL library code won't race against itself,
> won't corrupt its own data, or crash (hint: learn about
> the MySQL case, search the archives).
"it's own data"?? - well this is exactly why I asked on this
list :-) I wanted to
ng. So I am trying to avoid having to have two
installations of OpenSSL on every build platform.
-paul
On Jan 25, 2008 4:45 PM, Leandro Santi <[EMAIL PROTECTED]> wrote:
> Tomas Mraz, 2008-01-24:
> > So IMO what Paul Sheer is doing - disabling all locking in OpenSSL given
>
I'm replying to David's email off-list...
-paul
On Jan 24, 2008 8:44 PM, David Schwartz <[EMAIL PROTECTED]> wrote:
>
> > But I must say that I believe that no-one has ever used OpenSSL
> > with 10'000 concurrent SSL objects.
>
> Umm, what?! We've last tested to almost 16,384. Our first test to 1
>
> > So IMO what Paul Sheer is doing - disabling all locking in OpenSSL given
> > that there won't be any static and/or global variables in the OpenSSL
> > code called is 100% safe thing if the threads do not share any data
> > manipulated within the OpenSSL libra
> So IMO what Paul Sheer is doing - disabling all locking in OpenSSL given
> that there won't be any static and/or global variables in the OpenSSL
> code called is 100% safe thing [>] if [<] the threads do not share
any data
> manipulated within the OpenSSL library.
> Removing all the problems you can find is simply not a reliable way to
> develop software. You have to design the software such that there aren't
> problems, then remove any that slipped through. You can't use testing as
the
> way to create the guarantee in the first place.
Heh :-)
I totally ag
>
> How are you sure of this ? Did you manually remove the object code from
> the library, or place an abort(); call at the points -DPURIFY is listed
> to you can be sure that execution never gets there.
>
Actually, I am trying to create an application that has one context per
thread,
where each
>
> IMO, writing security software by doing something that is specifically not
> documented or guaranteed to work and then trying to fix every problem it
> creates (at least, that you can find) is completely insane.
>
Ok, I managed to "find" another problem: error setting/getting (eg.
ERR_clear_er
Well my hybrid threaded app now seems to be stable - even under extreme
loads.
Here is what I did for others to refer:
Comments *most* welcome.
These steps allow me to link both builds of my program with the same
non-threaded
OpenSSL build. I.e. both the fork() and pthread_create() builds of my
I valgrind'ed OpenSSL as follows:
I compiled OpenSSL (0.9.8g) with my own random number engine - in order to
generate
pseudo random numbers that are not based on unitialized values (if you run
openssl
without doing this you get infinite warnings - of course).
The results are as follows
==26139==
Has anyone worked on supporting OffloadModExpo from within OpenSSL?
I.e. to allow a Windows SSL application to use OpenSSL instead of the
native windows crypto libraries, but still take advantage of the Windows
OffloadModExpo function. This would be useful if you have bought some
accelerator card
21 matches
Mail list logo
