You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Gurpreet Grewal <gg...@gmail.com> on 2004/10/14 01:04:25 UTC
Apache with Security Processor - Interesting
I am trying to use a security processor (BCM 5823 from BroadCom) for
SSL processing. The whole objective is to make this security processor
do the SSL processing for any HTTPS requests the Apache server
recieves.
Apache uses OpenSSL for SSL processing, instead of doing this I want
to be able to off load the SSL processing to the security processor.
Any one who has worked
on such a problem? Any help would be appreicated.
Thanks
Grewal
Re: Apache with Security Processor - Interesting
Posted by "V. T. Mueller, Continum" <v....@continum.net>.
On Donnerstag, 14. Oktober 2004, Joe Orton wrote:
> The key questions are what OS are you using, and do you have a driver
> for the card which supports the /dev/cryptonet interface? The BCM 5820
> card works fine in Linux if you have an appropriate driver, I don't know
> about other OSs, probably OpenBSD is fine too. But you need to get the
> whole stack working properly: kernel driver, userspace tools, OpenSSL
> ENGINE support if necessary, build mod_ssl with
> -DSSL_EXPERIMENTAL_ENGINE, then configure with "SSLCryptoDevice ubsec".
The rainbow swift (now safenet cryptoswift) is available for
HP-UX and most other decent OSs, yet OpenBSD ist not listed
on their webpage. AFAIK there *is* support for the rainbow
in OpenBSD, though.
Cheers,
vt
--
V. T. Mueller
Continum AG
Wentzinger Strasse 7a
79106 Freiburg i. Br.
http://www.continum.net
Tel.: +49 761 479409 70
Fax.: +49 761 479409 33
Mail: v.t.mueller@continum.net
Re: Apache with Security Processor - Interesting
Posted by Joe Orton <jo...@redhat.com>.
On Wed, Oct 13, 2004 at 04:04:25PM -0700, Gurpreet Grewal wrote:
> I am trying to use a security processor (BCM 5823 from BroadCom) for
> SSL processing. The whole objective is to make this security processor
> do the SSL processing for any HTTPS requests the Apache server
> recieves.
>
> Apache uses OpenSSL for SSL processing, instead of doing this I want
> to be able to off load the SSL processing to the security processor.
> Any one who has worked on such a problem? Any help would be
> appreicated.
The key questions are what OS are you using, and do you have a driver
for the card which supports the /dev/cryptonet interface? The BCM 5820
card works fine in Linux if you have an appropriate driver, I don't know
about other OSs, probably OpenBSD is fine too. But you need to get the
whole stack working properly: kernel driver, userspace tools, OpenSSL
ENGINE support if necessary, build mod_ssl with
-DSSL_EXPERIMENTAL_ENGINE, then configure with "SSLCryptoDevice ubsec".
joe
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
I haven't tried replacing the entire SSL processing - but what I've
definitely done successfully is to replace the crypto in OpenSSL. It
works perfectly as long as you stick to the OpenSSL Engine
conventions.
The only change I had to do in Apache was to enable loading of dynamic
engines - load the 'dynamic' instead of 'engine_name' in
ssl_engine_init() (if you use 'SSLCryptoDevice engine_name').
BTW, wouldn't it be better to load the 'dynamic' engine by default so
that Apache can be configured to use *any* OpenSSL Engine and not just
the default set of engine(s). Do you see any problems with that ?
-Madhu
On Wed, 13 Oct 2004 16:04:25 -0700, Gurpreet Grewal <gg...@gmail.com> wrote:
> I am trying to use a security processor (BCM 5823 from BroadCom) for
> SSL processing. The whole objective is to make this security processor
> do the SSL processing for any HTTPS requests the Apache server
> recieves.
>
> Apache uses OpenSSL for SSL processing, instead of doing this I want
> to be able to off load the SSL processing to the security processor.
> Any one who has worked
> on such a problem? Any help would be appreicated.
>
> Thanks
> Grewal
>
Re: Apache with Security Processor - Interesting
Posted by Geoff Thorpe <ge...@geoffthorpe.net>.
On October 21, 2004 01:05 pm, Madhusudan Mathihalli wrote:
> On Wed, 20 Oct 2004 20:10:53 -0400, Geoff Thorpe <ge...@geoffthorpe.net>
wrote:
> > Did the control-command support ever make it into a cvs-worthy form?
>
> Nope - I don't believe it is in the CVS. Can you re-send the patch ?
Um, all I have is an old version for mod_ssl (apache 1.3) on my website
(in the "crypto" page) - it adds the SSLCryptoDeviceCtrl directive. IIRC,
one of the Bill's on this list ported this to 2.* form, you may be able
to find it in the archives I guess (I'm at work and so not able to trawl
for this right now). Note, I wasn't terribly pleased with how I
implemented it, so I don't pretend to suggest this is the Right Way(tm).
> > That's a far more general way to squash this issue.
>
> Well.. I'm not sure of that - it'll probably be more clear after
> seeing your patch. AFAICT, we have so some how force Apache to load
> the dynamic engine - and that's pretty much what my patch does.
Yes, and in your implementation you're doing this by issuing various
control-commands exposed by the "dynamic" engine to achieve it. This
magic may be a suitable transparent behaviour to use when the specified
engine can't be initialised directly, but it's still limited to whatever
logic you hard-code into the existing SSLCryptoDevice directive. Any
other commands supported by the "dynamic" engine (let alone any supported
by the targetted engine once it's loaded) would be inaccessible unless
someone goes in and adds further C logic. Eg. if an engine requires
configuration/authorisation, it can expose those details as
control-commands and as long as there's a mechanism to pass arbitrary
commands from the configuration file through, then Apache wouldn't need
to be any the wiser. Eg. the existing autoloading magic, plus additional
device-specific setup/control, could be achieved with;
SSLCryptoDevice dynamic
SSLCryptoDeviceCtrl SO_PATH:/lib/.../foobar.so
SSLCryptoDeviceCtrl LOAD
[... the "dynamic" engine is now replaced by the loaded engine...]
SSLCryptoDeviceCtrl FOOBAR_LOGFILE:[...]
SSLCryptoDeviceCtrl FOOBAR_AUTH:[...]
...
[... appending 'post' executes commands after ENGINE_init() ...]
SSLCryptoDeviceCtrl FOOBAR_LOCK post
...
Without something like this, the functionality is limited to whatever is
explicitly coded into apache, which I think is a little limiting. Also
useful will be some alterations that allow HSM keys to be used - I can
help with that if you like, but it'll definitely need control-command
support first.
NB: Another way forward is to try and hook into Steve Henson's revisions
to the configuration code. This essentially offloads all of this sort of
stuff to an openssl-specific configuration file that is "executed" at the
appropriate moment(s). We'd need to get Steve involved in that discussion
though if you're interested (there are potential pros and cons to this).
Cheers,
Geoff
--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
On Wed, 20 Oct 2004 20:10:53 -0400, Geoff Thorpe <ge...@geoffthorpe.net> wrote:
> On October 20, 2004 02:44 am, Madhusudan Mathihalli wrote:
> > If ppl think it'll be a good addition to Apache, I can clean it up and
> > try to commit it sometime tomorrow.
>
> Did the control-command support ever make it into a cvs-worthy form?
Nope - I don't believe it is in the CVS. Can you re-send the patch ?
> That's a far more general way to squash this issue.
Well.. I'm not sure of that - it'll probably be more clear after
seeing your patch. AFAICT, we have so some how force Apache to load
the dynamic engine - and that's pretty much what my patch does.
Thanks
-Madhu
Re: Apache with Security Processor - Interesting
Posted by Geoff Thorpe <ge...@geoffthorpe.net>.
On October 20, 2004 02:44 am, Madhusudan Mathihalli wrote:
> If ppl think it'll be a good addition to Apache, I can clean it up and
> try to commit it sometime tomorrow.
Did the control-command support ever make it into a cvs-worthy form?
That's a far more general way to squash this issue. I could understand
that you might want the single-line configuration semantics to be a bit
smarter by default too, but I think that if you're going to this trouble,
it would make sense to also expose engine control-commands to the
configuration to let users do this sort of cleverness directly (and in
any other ways they come up with without needing the code changed). Let
me know if this isn't already in CVS because I had a diff floating around
somewhere that did this.
Cheers,
Geoff
--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
On Wed, 20 Oct 2004 07:38:17 +0100, Joe Orton <jo...@redhat.com> wrote:
> On Tue, Oct 19, 2004 at 11:30:26AM -0700, Madhusudan Mathihalli wrote:
> > On Tue, 19 Oct 2004 11:18:15 +0100, Joe Orton <jo...@redhat.com> wrote:
> > > Is this with OpenSSL 0.9.7 or .8? Best I can tell this won't work out of
> > > the box with 0.9.7, though if you made a bunch of changes in (1) of
> > > course that's great. What changes did you make?
> >
> > It was with 0.9.7d. Here's a patch against Apache 2.1 - please note
> > that the original changes were made for 2.0, and tested against 2.0.
>
> Nice, that looks good to me other than obligatory style nits s/( (/((/g
> etc ;)
>
If ppl think it'll be a good addition to Apache, I can clean it up and
try to commit it sometime tomorrow.
-Madhu
Re: Apache with Security Processor - Interesting
Posted by Joe Orton <jo...@redhat.com>.
On Tue, Oct 19, 2004 at 11:30:26AM -0700, Madhusudan Mathihalli wrote:
> On Tue, 19 Oct 2004 11:18:15 +0100, Joe Orton <jo...@redhat.com> wrote:
> > Is this with OpenSSL 0.9.7 or .8? Best I can tell this won't work out of
> > the box with 0.9.7, though if you made a bunch of changes in (1) of
> > course that's great. What changes did you make?
>
> It was with 0.9.7d. Here's a patch against Apache 2.1 - please note
> that the original changes were made for 2.0, and tested against 2.0.
Nice, that looks good to me other than obligatory style nits s/( (/((/g
etc ;)
joe
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
On Tue, 19 Oct 2004 11:18:15 +0100, Joe Orton <jo...@redhat.com> wrote:
> On Thu, Oct 14, 2004 at 10:03:50AM -0700, Madhusudan Mathihalli wrote:
> > Well.. not exactly based on my experience (may be I'm wrong or worked
> > around something)
> >
> > Here's what I did:
> > 1. Enable loading of 'dynamic' engine by default
> > 2. Specify "SSLCryptoDevice <my_engine>"
> > 3. Put lib<my_engine>.so in apache/lib
> > 4. set SHLIB_PATH/LD_LIBRARY_PATH in apachectl to point to apache/lib
> >
> > This enabled me to start up Apache with the configured crypto engine.
> > I think the only limitation here is :
>
> Is this with OpenSSL 0.9.7 or .8? Best I can tell this won't work out of
> the box with 0.9.7, though if you made a bunch of changes in (1) of
> course that's great. What changes did you make?
It was with 0.9.7d. Here's a patch against Apache 2.1 - please note
that the original changes were made for 2.0, and tested against 2.0.
Thanks
-Madhu
Index: ssl_engine_config.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.94
diff -u -r1.94 ssl_engine_config.c
--- ssl_engine_config.c 3 Jun 2004 15:00:15 -0000 1.94
+++ ssl_engine_config.c 19 Oct 2004 18:24:12 -0000
@@ -476,6 +476,20 @@
}
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+
+ENGINE *ssl_load_dynamic_engine(const char *engine)
+{
+ ENGINE *e = ENGINE_by_id("dynamic");
+ if (e) {
+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) ||
+ !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+ ENGINE_free(e);
+ e = NULL;
+ }
+ }
+ return e;
+}
+
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
void *dcfg,
const char *arg)
@@ -491,7 +505,7 @@
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
}
- else if ((e = ENGINE_by_id(arg))) {
+ else if ( (e = ENGINE_by_id(arg)) || (e = ssl_load_dynamic_engine(arg)) ) {
mc->szCryptoDevice = arg;
ENGINE_free(e);
}
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.129
diff -u -r1.129 ssl_engine_init.c
--- ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129
+++ ssl_engine_init.c 19 Oct 2004 18:24:12 -0000
@@ -317,7 +317,8 @@
ENGINE *e;
if (mc->szCryptoDevice) {
- if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
+ if ( !(e = ENGINE_by_id(mc->szCryptoDevice)) ||
+ !(e = ssl_load_dynamic_engine(mc->szCryptoDevice)) ) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
Index: ssl_private.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_private.h,v
retrieving revision 1.7
diff -u -r1.7 ssl_private.h
--- ssl_private.h 3 Jun 2004 15:00:15 -0000 1.7
+++ ssl_private.h 19 Oct 2004 18:24:12 -0000
@@ -636,4 +636,8 @@
#define APR_SHM_MAXSIZE (64 * 1024 * 1024)
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+ENGINE *ssl_load_dynamic_engine(const char *engine);
+#endif
+
#endif /* SSL_PRIVATE_H */
Re: Apache with Security Processor - Interesting
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Oct 14, 2004 at 10:03:50AM -0700, Madhusudan Mathihalli wrote:
> Well.. not exactly based on my experience (may be I'm wrong or worked
> around something)
>
> Here's what I did:
> 1. Enable loading of 'dynamic' engine by default
> 2. Specify "SSLCryptoDevice <my_engine>"
> 3. Put lib<my_engine>.so in apache/lib
> 4. set SHLIB_PATH/LD_LIBRARY_PATH in apachectl to point to apache/lib
>
> This enabled me to start up Apache with the configured crypto engine.
> I think the only limitation here is :
Is this with OpenSSL 0.9.7 or .8? Best I can tell this won't work out of
the box with 0.9.7, though if you made a bunch of changes in (1) of
course that's great. What changes did you make?
joe
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
Well.. not exactly based on my experience (may be I'm wrong or worked
around something)
Here's what I did:
1. Enable loading of 'dynamic' engine by default
2. Specify "SSLCryptoDevice <my_engine>"
3. Put lib<my_engine>.so in apache/lib
4. set SHLIB_PATH/LD_LIBRARY_PATH in apachectl to point to apache/lib
This enabled me to start up Apache with the configured crypto engine.
I think the only limitation here is :
If you configure "SSLCryptoDevice <engine_name>", the corresponding
shared library name should be : lib<engine_name>.so
-Madhu
On Thu, 14 Oct 2004 16:42:04 +0100, Joe Orton <jo...@redhat.com> wrote:
> On Thu, Oct 14, 2004 at 08:09:06AM -0700, Madhusudan Mathihalli wrote:
> > Hi Joe,
> > It works against pre-compiled OpenSSL Engines - but not against new
> > (dynamic) engines - for that we *should* load the 'dynamic' engine.
> > (or is there some other method that I'm not aware of).
>
> This needs new config directives to specify which DSO to load by my
> understanding?
>
> joe
>
Re: Apache with Security Processor - Interesting
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Oct 14, 2004 at 08:09:06AM -0700, Madhusudan Mathihalli wrote:
> Hi Joe,
> It works against pre-compiled OpenSSL Engines - but not against new
> (dynamic) engines - for that we *should* load the 'dynamic' engine.
> (or is there some other method that I'm not aware of).
This needs new config directives to specify which DSO to load by my
understanding?
joe
Re: Apache with Security Processor - Interesting
Posted by Madhusudan Mathihalli <ma...@gmail.com>.
Hi Joe,
It works against pre-compiled OpenSSL Engines - but not against new
(dynamic) engines - for that we *should* load the 'dynamic' engine.
(or is there some other method that I'm not aware of).
Thanks
-Madhu
On Thu, 14 Oct 2004 09:06:28 +0100, Joe Orton <jo...@redhat.com> wrote:
> On Wed, Oct 13, 2004 at 09:20:17PM -0700, Sander Temme wrote:
> > The SSL_EXPERIMENTAL_ENGINE stuff is in Apache 2.0 today, but IIRC it
> > doesn't actually work. You may need to use a CVS checkout of httpd-2.0
> > HEAD, but do tell us what you find.
>
> It works fine in 2.0 (at least with the cards we test against), the only
> difference in HEAD is that you don't need to define
> SSL_EXPERIMENTAL_ENGINE to enable it.
>
> joe
>
Re: Apache with Security Processor - Interesting
Posted by Joe Orton <jo...@redhat.com>.
On Wed, Oct 13, 2004 at 09:20:17PM -0700, Sander Temme wrote:
> The SSL_EXPERIMENTAL_ENGINE stuff is in Apache 2.0 today, but IIRC it
> doesn't actually work. You may need to use a CVS checkout of httpd-2.0
> HEAD, but do tell us what you find.
It works fine in 2.0 (at least with the cards we test against), the only
difference in HEAD is that you don't need to define
SSL_EXPERIMENTAL_ENGINE to enable it.
joe
Re: Apache with Security Processor - Interesting
Posted by Sander Temme <sa...@temme.net>.
Hi Gurpreet,
On Oct 13, 2004, at 4:04 PM, Gurpreet Grewal wrote:
> I am trying to use a security processor (BCM 5823 from BroadCom) for
> SSL processing. The whole objective is to make this security processor
> do the SSL processing for any HTTPS requests the Apache server
> recieves.
>
> Apache uses OpenSSL for SSL processing, instead of doing this I want
> to be able to off load the SSL processing to the security processor.
> Any one who has worked
> on such a problem? Any help would be appreicated.
As Madhu points out, the Broadcom chip works as crypto offload engine
behind OpenSSL. I doesn't take care of all SSL processing: if you want
that you might want to look at Layer N Networks (http://www.layern.com/
disclaimer: I work there).
The hardware crypto engine in OpenSSL must be enabled programmatically.
Unfortunately, support for the OpenSSL engine is not really mainstream
yet in Apache 2.0. There is some code in HEAD (a.k.a. Apache 2.1),
which is waiting for some build phase magic and more votes for a
backport: see the Apache 2.0 STATUS file
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/STATUS?
rev=1.751.2.1122&only_with_tag=APACHE_2_0_BRANCH&view=markup
(scroll down about 1/4 or search for SSL_EXPERIMENTAL_ENGINE).
The SSL_EXPERIMENTAL_ENGINE stuff is in Apache 2.0 today, but IIRC it
doesn't actually work. You may need to use a CVS checkout of httpd-2.0
HEAD, but do tell us what you find.
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF