I am trying to get OpenSSH working with hardware SSL accelleration.
There is still a lot I don't understand about how the whole setup is
intended to work, and I am hoping some folks on this list will be able
to answer some of my questions and help me get further down the path.
Basically, I have OpenSSL working on SuSE SLES10 with libibmca.so (IBM
PCICA zSeries crypto accellerator). I can use openssl with the -engine
option and demonstrate the hardware is working with openssl.
install-test:/etc/ssl # openssl speed rsa1024 -elapsed -engine ibmca
engine "ibmca" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing 1024 bit private rsa's for 10s:
[...]
My copy of OpenSSH appears to have the required patch applied to use (if
I understand the documentation correctly) the dynamic engine to load
whatever hardware module will initialize and then use it for whatever
ciphers it supports.
install-test:/etc/ssl # strings /usr/bin/ssh | grep ENGINE
ENGINE_register_all_complete
ENGINE_load_builtin_engines
install-test:/etc/ssl #
What I am unsure of is whether the dynamic engine is working correctly.
I'm not sure how exactly I should be testing this, but my guesses give
results that suggest it is not.
install-test:/etc/ssl # openssl engine -tt
(dynamic) Dynamic engine loading support
[ unavailable ]
install-test:/etc/ssl # openssl engine ibmca -tt
(ibmca) Ibmca hardware engine support
[ available ]
install-test:/etc/ssl #
When I run the "openssl speed" test above with "-engine dynamic" I get
results that demonstrate that all the work is being done on the main
CPU, and none is being done on the crypto accellerator hardware, which
is not what I would expect.
So: is everything working correctly and it's just that my expectations
are out of whack? Or is there still something that's not configured
exactly right? From what I understand reading the engine(3ssl) man page,
OpenSSH has no chance of working with the ibmca engine at all, unless
the dynamic engine is working correctly to load the ibmca engine.
I'm poking around in a dark basement, here, and haven't found the light
switch yet. Any help anybody can give would be greatly appreciated.
Thanks!
ok
r.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
