how to static compile ssl engine into openssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

how to static compile ssl engine into openssl

程文平

Hi all,

 

         I’m working on accelerating ssl traffic with Intel QAT card, now openssl 1.1.0f is integrated into Nginx, so I need to static compile Intel QAT engine into openssl, and I do not find some useful info about it from Internet, although openssl-1.1.0f/engines/ build.info, it is not applicable from QAT engine from https://github.com/01org/QAT_Engine. Is there a guide line for this case?

         There is another alternative to do it, just to alone compile openssl and nginx, but it will take effort to deploy it.

 

         Any help is appreciated.

 

         Nick Cheng


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Mon, 25 Sep 2017 10:16:28 +0000, 程文平 <[hidden email]> said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
chengwenping1> need to static compile Intel QAT engine into openssl,
chengwenping1> and I do not find some useful info about it from
chengwenping1> Internet, although openssl-1.1.0f/engines/ build.info,
chengwenping1> it is not applicable from QAT engine from
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a
look in e_qat.c, and there seems to be support for doing that there
(see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't
see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the
QAT_Engine project...  but you probably need to understand that you
may not get what you want, and if you do, it's probably going to be an
unsupported hack.

chengwenping1> There is another alternative to do it, just to alone
chengwenping1> compile openssl and nginx, but it will take effort to
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also
enables dynamic engines?  Yes, that's the usual way to go about these
things.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

答复: how to static compile ssl engine into openssl

程文平
Hi Richard,

        Thanks for your response. From your meaning, the QAT engine codes is not applicable for static compile into openssl.
        Yes, I should keep to run nginx using shared OpenSSL libraries with dynamic QAT engines installed, until QAT engine static compiling is support.

        Thank,

        Nick Cheng
-----邮件原件-----
发件人: openssl-dev [mailto:[hidden email]] 代表 Richard Levitte
发送时间: 2017年9月26日 13:32
收件人: [hidden email]
主题: Re: [openssl-dev] how to static compile ssl engine into openssl

In message <[hidden email]> on Mon, 25 Sep 2017 10:16:28 +0000, 程文平 <[hidden email]> said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
chengwenping1> need to static compile Intel QAT engine into openssl, and
chengwenping1> I do not find some useful info about it from Internet,
chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not
chengwenping1> applicable from QAT engine from
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a look in e_qat.c, and there seems to be support for doing that there (see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the QAT_Engine project...  but you probably need to understand that you may not get what you want, and if you do, it's probably going to be an unsupported hack.

chengwenping1> There is another alternative to do it, just to alone
chengwenping1> compile openssl and nginx, but it will take effort to
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also enables dynamic engines?  Yes, that's the usual way to go about these things.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

答复: how to static compile ssl engine into openssl

程文平
In reply to this post by Richard Levitte - VMS Whacker-2
There is some more info.

https://github.com/01org/QAT_Engine/issues/9

-----邮件原件-----
发件人: 程文平
发送时间: 2017年9月26日 17:43
收件人: [hidden email]
主题: 答复: [openssl-dev] how to static compile ssl engine into openssl

Hi Richard,

        Thanks for your response. From your meaning, the QAT engine codes is not applicable for static compile into openssl.
        Yes, I should keep to run nginx using shared OpenSSL libraries with dynamic QAT engines installed, until QAT engine static compiling is support.

        Thank,

        Nick Cheng
-----邮件原件-----
发件人: openssl-dev [mailto:[hidden email]] 代表 Richard Levitte
发送时间: 2017年9月26日 13:32
收件人: [hidden email]
主题: Re: [openssl-dev] how to static compile ssl engine into openssl

In message <[hidden email]> on Mon, 25 Sep 2017 10:16:28 +0000, 程文平 <[hidden email]> said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
chengwenping1> need to static compile Intel QAT engine into openssl, and
chengwenping1> I do not find some useful info about it from Internet,
chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not
chengwenping1> applicable from QAT engine from
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a look in e_qat.c, and there seems to be support for doing that there (see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the QAT_Engine project...  but you probably need to understand that you may not get what you want, and if you do, it's probably going to be an unsupported hack.

chengwenping1> There is another alternative to do it, just to alone
chengwenping1> compile openssl and nginx, but it will take effort to
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also enables dynamic engines?  Yes, that's the usual way to go about these things.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Linsell, StevenX
In reply to this post by 程文平
On 26/09/2017, Levitte, Richard via openssl-dev wrote:

>
> chengwenping1> I?m working on accelerating ssl traffic with Intel QAT
> chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
> chengwenping1> need to static compile Intel QAT engine into openssl, and
> chengwenping1> I do not find some useful info about it from Internet,
> chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not
> chengwenping1> applicable from QAT engine from
> chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
> chengwenping1> line for this case?
>
> Unforatunately, there is no such guide that I know of.  I just had a look in
> e_qat.c, and there seems to be support for doing that there (see the
> sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any
> way to make use of that in their configuration.
>
> If this is what you really want, I suggest you create an issue in the
> QAT_Engine project...  but you probably need to understand that you may
> not get what you want, and if you do, it's probably going to be an
> unsupported hack.

I can confirm that the Intel Quickassist Technology(QAT) OpenSSL Engine
does not support compiling as a static engine against OpenSSL 1.1.0f.
As Richard observed there is some legacy code remaining in the engine
that would allow it to work as a static engine, but if you wanted to build
that way you would need to make modifications to the OpenSSL build
system to compile in the engine and then some further code changes
for it to use the engine. We purposely left that code in the engine from
the previous OpenSSL 1.0.1 engine just in case someone needed a static
build but it is untested again OpenSSL 1.1.0.
There was a discussion around the feasibility of adding the QAT Engine
to the OpenSSL project the other year but it is OpenSSL's direction not to
accept new hardware engines into the project as the burden of needing
specific hardware and expertise to maintain those engines is too great.  
Without the engine being part of the main OpenSSL project it is not really
feasible to have a static engine as we would need to maintain some sort
of OpenSSL patch to make everything work together.

Steve Linsell                         Intel Shannon DCG/CID Software Development Team
[hidden email]
 
--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Kurt Roeckx
In reply to this post by Richard Levitte - VMS Whacker-2
On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote:
>
> You mean to have nginx use the shared OpenSSL libraries, which also
> enables dynamic engines?  Yes, that's the usual way to go about these
> things.

Do we support dynamic engines with a static build?


Kurt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Tue, 26 Sep 2017 22:30:53 +0200, Kurt Roeckx <[hidden email]> said:

kurt> On Tue, Sep 26, 2017 at 07:32:06AM +0200, Richard Levitte wrote:
kurt> >
kurt> > You mean to have nginx use the shared OpenSSL libraries, which also
kurt> > enables dynamic engines?  Yes, that's the usual way to go about these
kurt> > things.
kurt>
kurt> Do we support dynamic engines with a static build?

No we don't.  no-shared means no-dynamic-engine

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Paul Yang
In reply to this post by 程文平

On 26 Sep 2017, at 18:13, 程文平 <[hidden email]> wrote:


Interesting. This issue was created by me last year, seems some people still struggling with combination of NGINX+OpenSSL+QAT.

Our solution is just to build OpenSSL dynamically with NGINX (although usually most Chinese companies I know like to build OpenSSL statically with NGINX).


-----邮件原件-----
发件人: 程文平 
发送时间: 2017年9月26日 17:43
收件人: [hidden email]
主题: 答复: [openssl-dev] how to static compile ssl engine into openssl

Hi Richard,

Thanks for your response. From your meaning, the QAT engine codes is not applicable for static compile into openssl.
Yes, I should keep to run nginx using shared OpenSSL libraries with dynamic QAT engines installed, until QAT engine static compiling is support.

Thank,

Nick Cheng
-----邮件原件-----
发件人: openssl-dev [[hidden email]] 代表 Richard Levitte
发送时间: 2017年9月26日 13:32
收件人: [hidden email]
主题: Re: [openssl-dev] how to static compile ssl engine into openssl

In message <[hidden email]> on Mon, 25 Sep 2017 10:16:28 +0000, 程文平 <[hidden email]> said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT 
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I 
chengwenping1> need to static compile Intel QAT engine into openssl, and 
chengwenping1> I do not find some useful info about it from Internet, 
chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not 
chengwenping1> applicable from QAT engine from 
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide 
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a look in e_qat.c, and there seems to be support for doing that there (see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the QAT_Engine project...  but you probably need to understand that you may not get what you want, and if you do, it's probably going to be an unsupported hack.

chengwenping1> There is another alternative to do it, just to alone 
chengwenping1> compile openssl and nginx, but it will take effort to 
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also enables dynamic engines?  Yes, that's the usual way to go about these things.

Cheers,
Richard

-- 
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: how to static compile ssl engine into openssl

Paul Yang
In reply to this post by 程文平

On 26 Sep 2017, at 18:13, 程文平 <[hidden email]> wrote:


Interesting. This issue was created by me last year, seems some people still struggling with combination of NGINX+OpenSSL+QAT.

Our solution is just to build OpenSSL dynamically with NGINX (although usually most Chinese companies I know like to build OpenSSL statically with NGINX).


-----邮件原件-----
发件人: 程文平 
发送时间: 2017年9月26日 17:43
收件人: [hidden email]
主题: 答复: [openssl-dev] how to static compile ssl engine into openssl

Hi Richard,

Thanks for your response. From your meaning, the QAT engine codes is not applicable for static compile into openssl.
Yes, I should keep to run nginx using shared OpenSSL libraries with dynamic QAT engines installed, until QAT engine static compiling is support.

Thank,

Nick Cheng
-----邮件原件-----
发件人: openssl-dev [[hidden email]] 代表 Richard Levitte
发送时间: 2017年9月26日 13:32
收件人: [hidden email]
主题: Re: [openssl-dev] how to static compile ssl engine into openssl

In message <[hidden email]> on Mon, 25 Sep 2017 10:16:28 +0000, 程文平 <[hidden email]> said:

chengwenping1> I’m working on accelerating ssl traffic with Intel QAT 
chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I 
chengwenping1> need to static compile Intel QAT engine into openssl, and 
chengwenping1> I do not find some useful info about it from Internet, 
chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not 
chengwenping1> applicable from QAT engine from 
chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide 
chengwenping1> line for this case?

Unforatunately, there is no such guide that I know of.  I just had a look in e_qat.c, and there seems to be support for doing that there (see the sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any way to make use of that in their configuration.

If this is what you really want, I suggest you create an issue in the QAT_Engine project...  but you probably need to understand that you may not get what you want, and if you do, it's probably going to be an unsupported hack.

chengwenping1> There is another alternative to do it, just to alone 
chengwenping1> compile openssl and nginx, but it will take effort to 
chengwenping1> deploy it.

You mean to have nginx use the shared OpenSSL libraries, which also enables dynamic engines?  Yes, that's the usual way to go about these things.

Cheers,
Richard

-- 
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev