From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 02:06:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E92E916A4CE for ; Fri, 9 Apr 2004 02:06:30 -0700 (PDT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A271843D31 for ; Fri, 9 Apr 2004 02:06:29 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i399775k031491; Fri, 9 Apr 2004 12:07:07 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i39975C2031490; Fri, 9 Apr 2004 12:07:05 +0300 (EEST) Date: Fri, 9 Apr 2004 12:07:05 +0300 From: Rumen Telbizov To: Charles Swiger Message-ID: <20040409090705.GS293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> User-Agent: Mutt/1.4.2.1i cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 09:06:31 -0000 Hi > I can second/confirm Mike's observations here. > > I've got a pair of HI/FN 7951 cards which gets used by SSH if I select > 3DES, but there is no sign that Apache attempts to use it for either > the public-key RSA/DSA crypto during HTTPS session startup, nor later > for the symmetric crypto. Excuse my ignorance but I think it would be appropriate to clearify the architecture of using cryptocards with openssl. Sorry if this has been discussed. I assume the following: 1. We have an ssl library - openssl. 2. We have a crypto card(s) installed. 3. We have applications using openssl functions say mod_ssl, ssh. If the crypto card is supported, then openssl should be able to use its registered functions - say 3DES. If both ssh and mod_ssl use the same library - openssl - and its functions (3DES), how come that one application benefits from the hardware acceleration and the other one does not?! If there are other details that I'm missing in this picture I'll be glad to know them. Thank you Rumen Telbizov