[Dovecot] Solaris hardware crypto engines
preen at informatik.uni-freiburg.de
Mon Nov 21 11:18:02 EET 2011
after serveral tests (and reading a lot of howto's) I'm now fairly convinced
that the Solaris HW-crypto engine is not automatically used. Even when dovecot
ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
the crypto device gets used. I'm sure that this is not the whole story since
this only seems to affect the IMAP login.
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
the various articles). Is there any chance that Dovecot gets updated/patched
for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
Chris Hoogendyk wrote:
> On 4/18/11 6:30 AM, Martin Preen wrote:
>> I tried to find out how about to use the hardware crypto engines under
>> Solaris (Sun Fire T2000). It seems, that its not just a compilation
>>> For operations that are to be offloaded, it is necessary to restrict
>>> use to subset
>> > of OpenSSL functions (the EVP_ functions) and explicitly indicate
>> the use of the PKCS11
>> > engine; something like the following works for bulk ciphers (the
>> process for RSA is similar):
>>> ENGINE *e;
>>> e = ENGINE_by_id("pkcs11");
>>> EVP_CIPHER_CTX_init (&ctx);
>>> EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
>>> EVP_EncryptUpdate (.....);
>> Since I'm not familiar with SSL programming, I wonder if it's possible to
>> modify the dovecot 1.2.x source code. Maybe someone has already tried
>> or can give me hint.
> You don't want to do that.
> The objective is for the ssl engine to be low level and basically
> invisible to layers of application above that use it. So, build openssl
> properly and it just works for everything else.
> I'm not at work today, so I don't have reference to my notes. Ah, just
> found an email I sent to my colleagues -- copied it below.
Martin Preen, Universität Freiburg, Institut für Informatik
Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany
phone: ++49 761 203-8250 preen at informatik.uni-freiburg.de
fax: ++49 761 203-8242 swt.informatik.uni-freiburg.de/~preen
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6337 bytes
Desc: S/MIME Cryptographic Signature
More information about the dovecot