[openssl-users] Anyone willing or able to rescue the Ubsec engine?

Vincent Bentley vincent.bentley at du3.co.uk
Wed Apr 20 20:21:31 UTC 2016


I recently started a small business and I can't afford new enterprise
hardware just yet. However, I do make good use of older enterprise kit
and currently have more than twenty BCM5823 crypto accelerators in use.
I think that there may well be a lot of these cards still in use and
it's going to be a nasty surprise for many when they update OpenSSL and
find the performance has dropped.

I was really upset to hear that support for ubsec has already been
pulled and I wondered if anyone else was willing or able to help keep
support for this device in OpenSSL for two more years, to April 2018? I
realise why the OpenSSL project wanted to drop support for old
accelerators and I am grateful that they kept them in for so long.

I have one spare working BCM5823 and at least one BCM5821 to donate to a
rescue effort if required. I also have one Dell PowerEdge 840 tower
server with the necessary 64-bit PCI-X slots, 64-bit CPU for any
developer volunteering from the UK for this rescue if needed. The PE840
is too heavy to ship outside the UK.

I know SHA-1 is getting old but it is still a mandatory implementation
for DNSSEC. Lots of organisations have legacy tape libraries encrypted
in 3DES. These are just two applications where older enterprise servers
might be found chugging away with a Broadcom accelerator inside.

Rich Salz suggested posting here to see what the response would be. I
suspect that like me, many people that use ubsec don't subscribe to the
openssl mailing lists and won't notice for some time.

The bad news for ubsec users:
https://github.com/openssl/openssl/commit/766579ec893e8028288c7215090a6fa3bd424fa0

-Vince-


More information about the openssl-users mailing list