OpenSSL ENIGNE support for OpenSSH
Ben Lindstrom
mouring at etoh.eviladmin.org
Mon Jul 5 11:43:19 EST 2004
On Sun, 4 Jul 2004, Darren Tucker wrote:
> Michal Ludvig wrote:
> > attached is a patch that enables using hardware crypto accelerators
> > available through OpenSSL library for SSH operations. Especially in
> > ssh/sshd it can bring a significant speed improvement. OTOH if no crypto
> > engine is available, nothing bad happens and default software crypto
> > routines are used.
>
> The ENGINE functionality is not available in all OpenSSL versions that
> OpenSSH supports (it's not in 0.9.5 and it's a separate package for
> 0.9.6), so your patch will fail to compile on those.
>
> I don't know about adding it to the main tree.. comments? If it is, it
> should be either detected automatically at build time or be a configure
> option (eg --with-ssl-engine). Maybe just something like this in defines.h:
>
> #if defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER > 0x0090700f)
> # define USE_OPENSSL_ENGINE
> #endif
>
I'd rather see OpenSSL team correct their code so we don't have to do this
type of crap work. There is no reason why we should have to initialize
the OpenSSL ENGINE code.
As far as I know OpenSSH works just fine with software/hardware encryption
via OpenSSL without these changes.
I think we are best off waiting until they get their act together.
- Ben
More information about the openssh-unix-dev
mailing list