bugzilla-daemon at bugzilla.mindrot.org
2011-Mar-26 17:52 UTC
[Bug 1882] New: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Summary: Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL
hardware engine
Product: Portable OpenSSH
Version: 5.7p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: scp
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: opod at nic-nac-project.org
I have a VIA C7 box which supports hardware acceleration for aes-cbc
with OpenSSL 'padlock' engine.
I have defined the padlock engine as default in /etc/ssl/openssl.conf
and it has worked for OpenSSH versions 5.4p1 through 5.6p1. With 5.7p1
and 5.8p1 the hardware acceleration is no longer used.
Both OpenSSH versions are configured as such:
./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
--sysconfdir=/etc/ssh --with-tcp-wrappers
--with-privsep-user=nobody \
--with-md5-passwords --with-pam --with-mantype=man
--mandir=/usr/share/man \
--with-xauth=/usr/bin/xauth --with-kerberos5=/usr
--with-ssl-engine \
--with-libedit=/usr/lib
I am enclosing verbose client logs, but I don't know if they will be of
any use. I'll be happy to provide any additional information that is
required.
I am filing this against scp as this is how I can verify if the
hardware acceleration is working or not, but this is probably a deeper
problem.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Mar-26 17:52 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882 --- Comment #1 from opod at nic-nac-project.org 2011-03-27 04:52:40 EST --- Created attachment 2022 --> https://bugzilla.mindrot.org/attachment.cgi?id=2022 5.6p1 client -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Mar-26 17:53 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882 --- Comment #2 from opod at nic-nac-project.org 2011-03-27 04:53:11 EST --- Created attachment 2023 --> https://bugzilla.mindrot.org/attachment.cgi?id=2023 5.8p1 client -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-05 16:42 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882 --- Comment #3 from opod at nic-nac-project.org 2011-05-06 02:42:55 EST --- The bug still persists with 5.8p2. I'll happily provide more information, just tell me what you need. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 00:22 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Depends on| |1845
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2011-05-06
10:22:30 EST ---
You can forcibly enable hardware support with
./configure --with-ssl-engine
although I'm not sure what would have changed to stop an override in
openssl.cnf from working (without --with-ssl-engine it does the same
thing it used to do).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 01:59 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882 --- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2011-05-06 11:59:41 EST --- ... which you have. I'm going to attach a patch to add some debugging, please try again with that and attach the output of the client with ssh -vvv. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 02:12 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2041| |ok?(djm at mindrot.org)
Flags| |
--- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2011-05-06
12:12:49 EST ---
Created attachment 2041
--> https://bugzilla.mindrot.org/attachment.cgi?id=2041
switch from SSLeay_add_all_algorithms to OpenSSL_add_all_algoritms for
compat hook
ah, I think I see what happened. We changed from the old
(undocumented) SSLeay_add_all_algorithms() function the new
(documented) OpenSSL_add_all_algorithms() function, and in doing so we
no longer called the hook in the compat library we use to enable this.
Please try the attached patch.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 02:32 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2041|ok?(djm at mindrot.org) |ok+
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 17:25 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
opod at nic-nac-project.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #7 from opod at nic-nac-project.org 2011-05-07 03:25:55 EST ---
This does indeed work, thank you for addressing this issue.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-10 01:13 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882 --- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2011-05-10 11:13:55 EST --- Committed, thanks. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:32 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #9 from Damien Miller <djm at mindrot.org> 2011-09-06 15:32:53
EST ---
close resolved bugs now that openssh-5.9 has been released
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 23:55 UTC
[Bug 1882] Since 5.7p1 OpenSSH doesn't take advantage of OpenSSL hardware engine
https://bugzilla.mindrot.org/show_bug.cgi?id=1882
Bug 1882 depends on bug 1845, which changed state.
Bug 1845 Summary: Bugs intended to be fixed in 5.9
https://bugzilla.mindrot.org/show_bug.cgi?id=1845
What |Old Value |New Value
----------------------------------------------------------------------------
Resolution| |FIXED
Status|NEW |RESOLVED
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.