Mailing List Archive

Enabling RAND redirection on crypto accelerator using OpenSSL ENGINE
Hi all,


A few month ago i submit a patch for redirecting RAND on crypto accelerator for mod-ssl and apache-1.3.x.

A few weeks ago, i see a cvs commit about this on mod-ssl mailing list.
But i see that apache-2.0.x have not been updated.
I post a message for this in mod-ssl dev mailing list, but maybe should i post it somewhere else!

So, in fact the patch is for ssl_engine_init.c file in directory ./modules/ssl.
Just modify functions calls:
- ssl_engine_init ()
- ssl_init_SSLlibrary ()

"ssl_engine_init()" (line 300) should be call earlier, before than "ssl_init_SSLlibrary()" (line 270).

In fact you have to initialyze OpenSSL ENGINE before initialzing the library, due to fact that OpenSSL default function pointer must be set to ENGINE function pointer before library initialisation otherwise you can not modify default settings.

Geoff Thorpe comment:
"ssl_init_SSLLibrary() must be seeding the PRNG, and thus initialising the set-on-first-use pointer in openssl to a default RAND_METHOD."

Cliff Woolley comment:
Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify
for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.


I recently download apache-2.0.x and no change about this ?
So, can anyone tell me more about?
Is this duie to OpenSSL ENGINE change for future release, or anything else?


Regards

Fred
Re: Enabling RAND redirection on crypto accelerator using OpenSSL ENGINE [ In reply to ]
On Wed, 23 Oct 2002, Frederic DONNAT wrote:

> A few weeks ago, i see a cvs commit about this on mod-ssl mailing list.
> But i see that apache-2.0.x have not been updated.

Good that you noticed this ! Thoug there are many more experts on the
mod-ssl mailing list; this list can propably help you get the code in
apache 2.0 fixed.

Can you:

-> confirm that apache 2.0 needs this ?
-> supply us with a patch with the code for 2.0 ?

Dw
Re: Enabling RAND redirection on crypto accelerator using OpenSSL ENGINE [ In reply to ]
"Frederic DONNAT" <frederic.donnat@zencod.com> writes:

> A few month ago i submit a patch for redirecting RAND on crypto accelerator for mod-ssl and apache-1.3.x.
>
> A few weeks ago, i see a cvs commit about this on mod-ssl mailing list.
> But i see that apache-2.0.x have not been updated.

maintainers of mod_ssl for Apache 1.3 apparently have to time for
Apache 2.0 mod_ssl

> I post a message for this in mod-ssl dev mailing list, but maybe should i post it somewhere else!

yes, if you have a concern about Apache 2.0 mod_ssl please post here,
but note that more skills are on mod-ssl dev mailing list

> So, in fact the patch is for ssl_engine_init.c file in directory ./modules/ssl.
> Just modify functions calls:
> - ssl_engine_init ()
> - ssl_init_SSLlibrary ()
>
> "ssl_engine_init()" (line 300) should be call earlier, before than "ssl_init_SSLlibrary()" (line 270).
>
> In fact you have to initialyze OpenSSL ENGINE before initialzing the library, due to fact that OpenSSL default function pointer must be set to ENGINE function pointer before library initialisation otherwise you can not modify default settings.
>
> Geoff Thorpe comment:
> "ssl_init_SSLLibrary() must be seeding the PRNG, and thus initialising the set-on-first-use pointer in openssl to a default RAND_METHOD."
>
> Cliff Woolley comment:
> Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify
> for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.

apparently nobody verified for Cliff that it fixed the problem with
Apache 2.0

can you verify it?

can you post a patch with the change?

Thanks,

--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...