Hi Rich, > On 19. Jul 2024, at 16:42, Richard W.M. Jones <rjo...@redhat.com> wrote: > > Make sense! (I still have no idea what these "engines" are)
ENGINEs are an API for OpenSSL to delegate certain operations (random number generation or cryptographic operations) to third-party modules. They have historically been used to implement PKCS#11 smartcard support (using the openssl-pkcs11 package) or hardware-accelerated cryptography (e.g., Intel QAT in the qatlib package). OpenSSL 3.0 has deprecated ENGINEs and introduced the concept of a provider instead. Simo Sorce and the RHEL crypto team have developed pkcs11-provider (same name in Fedora) for continued support of PKCS#11 smartcards, and others have been working on porting their use cases over. The advantage of providers over ENGINEs is that applications had to explicitly support ENGINEs for them to work. With providers, applications can be written in a way that they don’t care whether the private key is in a file or a smartcard. ENGINEs also use various differing code paths inside of OpenSSL, which often trigger subtle bugs and weird behavior. HTH, Clemens -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
