1 | |
---|
2 | ENGINE |
---|
3 | ====== |
---|
4 | |
---|
5 | With OpenSSL 0.9.6, a new component has been added to support external |
---|
6 | crypto devices, for example accelerator cards. The component is called |
---|
7 | ENGINE, and has still a pretty experimental status and almost no |
---|
8 | documentation. It's designed to be faily easily extensible by the |
---|
9 | calling programs. |
---|
10 | |
---|
11 | There's currently built-in support for the following crypto devices: |
---|
12 | |
---|
13 | o CryptoSwift |
---|
14 | o Compaq Atalla |
---|
15 | o nCipher CHIL |
---|
16 | |
---|
17 | A number of things are still needed and are being worked on: |
---|
18 | |
---|
19 | o An openssl utility command to handle or at least check available |
---|
20 | engines. |
---|
21 | o A better way of handling the methods that are handled by the |
---|
22 | engines. |
---|
23 | o Documentation! |
---|
24 | |
---|
25 | What already exists is fairly stable as far as it has been tested, but |
---|
26 | the test base has been a bit small most of the time. |
---|
27 | |
---|
28 | Because of this experimental status and what's lacking, the ENGINE |
---|
29 | component is not yet part of the default OpenSSL distribution. However, |
---|
30 | we have made a separate kit for those who want to try this out, to be |
---|
31 | found in the same places as the default OpenSSL distribution, but with |
---|
32 | "-engine-" being part of the kit file name. For example, version 0.9.6 |
---|
33 | is distributed in the following two files: |
---|
34 | |
---|
35 | openssl-0.9.6.tar.gz |
---|
36 | openssl-engine-0.9.6.tar.gz |
---|
37 | |
---|
38 | NOTES |
---|
39 | ===== |
---|
40 | |
---|
41 | openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do |
---|
42 | not need to download both. |
---|
43 | |
---|
44 | openssl-engine-0.9.6.tar.gz is usable even if you don't have an external |
---|
45 | crypto device. The internal OpenSSL functions are contained in the |
---|
46 | engine "openssl", and will be used by default. |
---|
47 | |
---|
48 | No external crypto device is chosen unless you say so. You have actively |
---|
49 | tell the openssl utility commands to use it through a new command line |
---|
50 | switch called "-engine". And if you want to use the ENGINE library to |
---|
51 | do something similar, you must also explicitely choose an external crypto |
---|
52 | device, or the built-in crypto routines will be used, just as in the |
---|
53 | default OpenSSL distribution. |
---|
54 | |
---|
55 | |
---|
56 | PROBLEMS |
---|
57 | ======== |
---|
58 | |
---|
59 | It seems like the ENGINE part doesn't work too well with Cryptoswift on |
---|
60 | Win32. A quick test done right before the release showed that trying |
---|
61 | "openssl speed -engine cswift" generated errors. If the DSO gets enabled, |
---|
62 | an attempt is made to write at memory address 0x00000002. |
---|
63 | |
---|