I have a working OpenSSL Engine that I would like to use with OpenSSH.
My version of OpenSSH seems to have the patch applied which initializes
the dynamic engine support in OpenSSL, but the engine is not used.
Is there somebody on the list who can help me understand what's
happening, and maybe how to make it work?
Here are some details which may be relevant:
install-test:~ # uname -a
Linux install-test 2.6.16.21-0.8-default #1 SMP Mon Jul 3 18:25:39 UTC
2006 s390x s390x s390x GNU/Linux
install-test:~ # rpm -q openssl
openssl-0.9.8a-18.4
install-test:~ # rpm -q openssh
openssh-4.2p1-18.2
install-test:~ # rpm -q openssl-ibmca
openssl-ibmca-1.0.0-7.4
install-test:~ # openssl engine ibmca -c -tt
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC,
AES-128-ECB, AES
-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, SHA1,
SHA256]
[ available ]
install-test:~ #
This would be IBM PCICA crypto accelerators on zSeries (z800), with SuSE
SLES10. This has never worked for me, but I am very interested in making
it do so. The hardware itself is demonstrated to be working correctly
with OpenSSL when we explicitly call out the ibmca engine.
I just noticed this, which may help explain some of the problem, or then
again, may be normal and expected?
install-test:/net/lnx00009/sles10/fcs/dvd/suse/s390x # openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(ibmca) Ibmca hardware engine support
[ available ]
Is the dynamic engine loading support supposed to be "unavailable"? From
the looks of the OpenSSH patch, I expect the dynamic engine loading
support must be working for it to even be possible for OpenSSH to use
any engine.
Any light anybody can shed on this would be tremendously appreciated.
Thanks!
ok
r.
