SSLCryptoDevice: works as a static, not as a DSO...?

Hey people.

I have been running fine with Apache + Mod_SSL under Solaris with
everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL
2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the
default, except for just above the SSLPassPhraseDialog (around line
1090) where I have:
SSLCryptoDevice cswift

(it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a
Netra T1, on Solaris 8)


There are two compiles I have done: one where I have done everything as
a static, and one where it is DSO. When static, I removed my LoadModules
and AddModules, and of course, when as a DSO, I add these back in. ALl
pretty straight forward.

When I use static, my hardware crypto is working and everything is
wonderful. Birds sing, etc...

When I go DSO and then `apachectl configtest`:

Invalid command 'SSLCryptoDevice', perhaps mis-spelled
or defined by a module not included in the server configuration

Which is odd, because all the other SSL directives are OK. If I do a
`strings libexec/libssl.so` then I can see that the SSLCryptoDevice is
mentioned in the module, however using mod_info, it is not mentioned
against mod_ssl as being available.

Does anyone know what is going on here? Why would this work fine as a
static, and not as a DSO? This was working with earlier versions (1.3.20
& 2.8.4 & 0.9.6b).

Any help appreciate.

James

--
James Bromberger,
Senior Web/Systems Administrator, JDV
+61 8 9268 2909, +61 417 322 500
Fax: +61 8 9266 0200

JDV - e-Commerce and Outsourcing Solutions for Financial Services
http://www.jdv.com/

JDV is a division of Hartleys Limited ABN 67 009 136 029 ("JDV").
Any securities recommendation contained in this document is unsolicited
general information only. Do not act on a recommendation without first
consulting your investment advisor to determine whether the
recommendation is appropriate for your investment objectives, financial
situation and particular needs.
JDV believes that any information or advice (including any securities
recommendation) contained in this document is accurate when issued.
However, JDV does not warrant its accuracy or reliability. JDV, its
officers, agents and employees exclude all liability whatsoever,
in negligence or otherwise, for any loss or damage relating to this
document to the full extent permitted by law.
JDV may collect personal information from you in order to provide any
services you have requested. A copy of JDV's privacy policy is
available at http://www.jdv.com/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCryptoDevice: works as a static, not as a DSO...?

It might depend upon how you compliled openssl, was it compiled shared
also?

Thanks,

Ron DuFresne


On Fri, 28 Jun 2002, James Bromberger wrote:

> Hey people.
>
> I have been running fine with Apache + Mod_SSL under Solaris with
> everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL
> 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the
> default, except for just above the SSLPassPhraseDialog (around line
> 1090) where I have:
> SSLCryptoDevice cswift
>
> (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a
> Netra T1, on Solaris 8)
>
>
> There are two compiles I have done: one where I have done everything as
> a static, and one where it is DSO. When static, I removed my LoadModules
> and AddModules, and of course, when as a DSO, I add these back in. ALl
> pretty straight forward.
>
> When I use static, my hardware crypto is working and everything is
> wonderful. Birds sing, etc...
>
> When I go DSO and then `apachectl configtest`:
>
> Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> or defined by a module not included in the server configuration
>
> Which is odd, because all the other SSL directives are OK. If I do a
> `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is
> mentioned in the module, however using mod_info, it is not mentioned
> against mod_ssl as being available.
>
> Does anyone know what is going on here? Why would this work fine as a
> static, and not as a DSO? This was working with earlier versions (1.3.20
> & 2.8.4 & 0.9.6b).
>
> Any help appreciate.
>
> James
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCryptoDevice: works as a static, not as a DSO...?

Thanks Ron... I just did this, and there was no change -- it still
doesn't like this directive:
Invalid command 'SSLCryptoDevice', perhaps mis-spelled
or defined by a module not included in the server configuration

My build was effectively:
cd openssl* && sh config -fPIC -DSSL_EXPERIMENTAL shared && make
&& cd ..
cd mm-1.1.3 && ./configure --disable-shared && make && cd ..
cd mod_ssl-2.8.10-1.3.26 && ./configure
--with-apache=../apache_1.3.26 \
--with-ssl=../openssl-engine-0.9.6d \
--with-mm=../mm-1.1.3 \
--enable-rule=SSL_EXPERIMENTAL \
--enable-module=ssl \
--prefix=/usr/local/apache --enable-shared=ssl \
--enable-module=most \
--enable-shared=max --enable-module=so && cd ..
cd apache_1.3.26 && make && make install
package-root=`pwd`/package-root


The difference I am doing is removing the "--enable-shared=ssl" and
"--enable-shared=max", and then it works (as a static).

Thanks,

James
>>> dufresne@sysinfo.com 06/28/02 01:45pm >>>

It might depend upon how you compliled openssl, was it compiled shared
also?

Thanks,

Ron DuFresne


On Fri, 28 Jun 2002, James Bromberger wrote:

> Hey people.
>
> I have been running fine with Apache + Mod_SSL under Solaris with
> everything working fine. I am now recompiling to Apache 1.3.26,
Mod_SSL
> 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much
the
> default, except for just above the SSLPassPhraseDialog (around line
> 1090) where I have:
> SSLCryptoDevice cswift
>
> (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a
> Netra T1, on Solaris 8)
>
>
> There are two compiles I have done: one where I have done everything
as
> a static, and one where it is DSO. When static, I removed my
LoadModules
> and AddModules, and of course, when as a DSO, I add these back in.
ALl
> pretty straight forward.
>
> When I use static, my hardware crypto is working and everything is
> wonderful. Birds sing, etc...
>
> When I go DSO and then `apachectl configtest`:
>
> Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> or defined by a module not included in the server configuration
>
> Which is odd, because all the other SSL directives are OK. If I do a
> `strings libexec/libssl.so` then I can see that the SSLCryptoDevice
is
> mentioned in the module, however using mod_info, it is not mentioned
> against mod_ssl as being available.
>
> Does anyone know what is going on here? Why would this work fine as
a
> static, and not as a DSO? This was working with earlier versions
(1.3.20
> & 2.8.4 & 0.9.6b).
>
> Any help appreciate.
>
> James
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org

User Support Mailing List modssl-users@modssl.org

Automated List Manager majordomo@modssl.org



--
James Bromberger,
Senior Web/Systems Administrator, JDV
+61 8 9268 2909, +61 417 322 500
Fax: +61 8 9266 0200

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCryptoDevice: works as a static, not as a DSO...?

I was thinking, and perhaps wrongly for versions prior to apache 2, that
modules required openssl be shared, but, earlier mod-ssl based versions I
do not think were so limited, being how they were built with ssl support.

I'm pretty sure, and others will correct me if I'm wrong that openssl, the
engine version, is the part that enables cryto devices cards>, and the documentation for it should define those devices it
supports;

This is from the README.ENGINE file for openssl-engine-0.9.6b/, note that
this is not the most current version, and 0.9.6d might well have new
device support:


ENGINE
======

With OpenSSL 0.9.6, a new component has been added to support external
crypto devices, for example accelerator cards. The component is called
ENGINE, and has still a pretty experimental status and almost no
documentation. It's designed to be faily easily extensible by the
calling programs.

There's currently built-in support for the following crypto devices:

o CryptoSwift
o Compaq Atalla
o nCipher CHIL

....

No external crypto device is chosen unless you say so. You have
actively tell the openssl utility commands to use it through a new
command line switch called "-engine". And if you want to use the ENGINE
library to do something similar, you must also explicitely choose an
external crypto device, or the built-in crypto routines will be used,
just as in the default OpenSSL distribution.


PROBLEMS
========

It seems like the ENGINE part doesn't work too well with Cryptoswift on
Win32. A quick test done right before the release showed that trying
"openssl speed -engine cswift" generated errors. If the DSO gets
enabled, an attempt is made to write at memory address 0x00000002.


Unfortunately, the documentation on the engine directives is fairly poor
and sparse.

If I recall, others have used such devices with the engine version and may
well beable to help you more then I can at present. They should respond a
tad later in the day as the sun rises near their locations .

Sorry I'm not of more help here.

Thanks,

Ron DuFresne


On Fri, 28 Jun 2002, James Bromberger wrote:

>
> Thanks Ron... I just did this, and there was no change -- it still
> doesn't like this directive:
> Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> or defined by a module not included in the server configuration
>
> My build was effectively:
> cd openssl* && sh config -fPIC -DSSL_EXPERIMENTAL shared && make
> && cd ..
> cd mm-1.1.3 && ./configure --disable-shared && make && cd ..
> cd mod_ssl-2.8.10-1.3.26 && ./configure
> --with-apache=../apache_1.3.26 \
> --with-ssl=../openssl-engine-0.9.6d \
> --with-mm=../mm-1.1.3 \
> --enable-rule=SSL_EXPERIMENTAL \
> --enable-module=ssl \
> --prefix=/usr/local/apache --enable-shared=ssl \
> --enable-module=most \
> --enable-shared=max --enable-module=so && cd ..
> cd apache_1.3.26 && make && make install
> package-root=`pwd`/package-root
>
>
> The difference I am doing is removing the "--enable-shared=ssl" and
> "--enable-shared=max", and then it works (as a static).
>
> Thanks,
>
> James
> >>> dufresne@sysinfo.com 06/28/02 01:45pm >>>
>
> It might depend upon how you compliled openssl, was it compiled shared
> also?
>
> Thanks,
>
> Ron DuFresne
>
>
> On Fri, 28 Jun 2002, James Bromberger wrote:
>
> > Hey people.
> >
> > I have been running fine with Apache + Mod_SSL under Solaris with
> > everything working fine. I am now recompiling to Apache 1.3.26,
> Mod_SSL
> > 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much
> the
> > default, except for just above the SSLPassPhraseDialog (around line
> > 1090) where I have:
> > SSLCryptoDevice cswift
> >
> > (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a
> > Netra T1, on Solaris 8)
> >
> >
> > There are two compiles I have done: one where I have done everything
> as
> > a static, and one where it is DSO. When static, I removed my
> LoadModules
> > and AddModules, and of course, when as a DSO, I add these back in.
> ALl
> > pretty straight forward.
> >
> > When I use static, my hardware crypto is working and everything is
> > wonderful. Birds sing, etc...
> >
> > When I go DSO and then `apachectl configtest`:
> >
> > Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> > or defined by a module not included in the server configuration
> >
> > Which is odd, because all the other SSL directives are OK. If I do a
> > `strings libexec/libssl.so` then I can see that the SSLCryptoDevice
> is
> > mentioned in the module, however using mod_info, it is not mentioned
> > against mod_ssl as being available.
> >
> > Does anyone know what is going on here? Why would this work fine as
> a
> > static, and not as a DSO? This was working with earlier versions
> (1.3.20
> > & 2.8.4 & 0.9.6b).
> >
> > Any help appreciate.
> >
> > James
> >
> >
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCryptoDevice: works as a static, not as a DSO...?

On Fri, 28 Jun 2002, R. DuFresne wrote:

> I was thinking, and perhaps wrongly for versions prior to apache 2, that
> modules required openssl be shared, but, earlier mod-ssl based versions I
> do not think were so limited, being how they were built with ssl support.

Right. That's not a restriction in 1.3 as far as I know. Just 2.0 (due
to libtool).

For 2.0, if you want a shared mod_ssl, use a shared OpenSSL, and if you
want a static mod_ssl, use a static OpenSSL. 1.3 should be a bit more
flexible there. We'll get around to fixing that in 2.0 one of these days.
:-/

--Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCryptoDevice: works as a static, not as a DSO...?

Hi there,

On Fri, 28 Jun 2002, James Bromberger wrote:

> Thanks Ron... I just did this, and there was no change -- it still
> doesn't like this directive:
> Invalid command 'SSLCryptoDevice', perhaps mis-spelled
> or defined by a module not included in the server configuration

[snip]

> The difference I am doing is removing the "--enable-shared=ssl" and
> "--enable-shared=max", and then it works (as a static).

I can't comment too directly on the build environment of apache/mod_ssl in
terms of shared/static loading, it's a bit of a minefield, especially when
you introduce solaris into the already muddied waters of portable
module-building ...

Nonetheless, I seem to recall seeing somewhere that you can't build a
mod_ssl DSO using a static openssl library. That could be a confusion of
a distant memory, or it could be just plain and completely wrong, however
it might be worth looking into.

As someone I think already mentioned, the only way you should get that
message from mod_ssl configuration is if you didn't build with
SSL_EXPERIMENTAL. If you did, mod_ssl should understand that directive -
and any failures to load/link against ENGINE-specific API calls would
manifest themselves in different ways (compiler-time or run-time linker
failures). OTOH: It's possible mod_ssl's "./configuration" might have
caused ENGINE support to be surpressed ... I don't recall much about
Ralf's configuration script, but this might be possible if he probes the
openssl libs for ENGINE support ...

Which versions of OpenSSL are you working with? Did you compile it(/them)
yourself or are you using existing packages? If you did compile them, do
you also have other system-wide versions installed? When building static
or shared (DSO) versions of mod_ssl, which forms (shared/static) of
openssl are you using?

Cheers,
Geoff

PS: This could also be something in the configuration/invocation of
apache/mod_ssl ... have you tried doing precisely the same thing on
something other than solaris to see? If you get the same error on linux,
freebsd, etc then it probably has nothing to do with compilation issues.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org