[Bug 1440] OpenSSL engine support should be enabled by default

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jul 31 15:21:11 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1440





--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  2009-07-31 15:21:10 ---
(In reply to comment #4)
> Given what you've pointed out about other classes of hardware engine, I
> guess I should file a new bug requesting some means of distinguishing
> classes of hardware engine?

IMO the most sensible way to handle this is for libcrypto to
automatically use the processor feature if appropriate (OpenBSD does
this).  Some Linux vendors ship different openssl packages for
different processors (i386 vs i686, the latter making use of
instructions not available on previous generations of processors). 
Anyway, I think it doesn't make sense to have every crypto-using
application have to deal with this.

Doing a bit of reading
(http://marc.info/?l=openssl-dev&m=108903127031777&w=2) it looks like
another option is to use openssl.cnf via its [engine_section] (see
http://www.daemon-systems.org/man/openssl.cnf.5.html)

Based on http://www.openssl.org/docs/crypto/OPENSSL_config.html, it
looks like all we'd have to do is add a call of OPENSSL_config(NULL) to
ssh, which I think would be reasonable (assuming it does what I think
it does).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list