Update for OpenSSL PKCS#11 engine

We found a couple of bugs in the engine since the last update.

  • 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes significant performance drop
  • 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine

Updated engine patch against latest stable source code release of OpenSSL: pkcs11_engine-0.9.8e.patch.2007-09-26 (README)

Posted on: Sep 26, 2007

Posted by: janp

Category: Sun

Permanent link to this entry

Comments:

This is great news. These fixes don't seem to be in 10u4. Do you know if/when they'll be backported to Solaris 10?

Posted by Derek Morr on September 26, 2007 at 03:34 PM CEST #

hi Derek, no, they are not there. They will be in 10u5 and also in a patch. However, I can't tell you any ETA for this patch since we don't know now.

Posted by Jan on September 27, 2007 at 11:31 AM CEST #

Hi!

I just installed Solaris 10 U5 on T1000. I am still getting "140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac" error. Both wget and curl clients report this error from time to time when load is around 10-20 connections per second with a static web page served by Apache 2.2.8:

wget --no-check-certificate https://192.71.188.142:8443/ -O /tmp/roska >> wgetlog 2>> wgeterrorlog
curl -k --sslv3 https://192.71.188.142:8443/ >> curllog 2>> curlerrorlog

Here is how I build Apache:

CFLAGS='-DSSL_EXPERIMENTAL -DSSL_ENGINE' ./configure --prefix=/export/home/apa/apache --enable-cache --enable-mem-cache --enable-ssl --with-mpm=prefork --enable-rule=SSL_EXPERIMENTAL --with-ssl=/usr/sfw --enable-deflate
make
make install

I have tested some other build options as well but the have not managed to get rid of those errors. If I comment out "SSLCryptoDevice pkcs11" in httpd.conf both clients work fine. But the CPU usage grows on the server as expected.

Posted by Antti Paju on April 23, 2008 at 09:36 AM CEST #

we have been working on roughly 15 bugs in the engine we have found during the past few months. I think one of them should fix your issue. When we put those fixes back to Nevada, I'll release a new patch. I hope it will be within one month.

Posted by Jan on April 23, 2008 at 02:16 PM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by janp