[openssl-users] Ubsec and Chil engines

Matt Caswell matt at openssl.org
Fri Feb 19 11:31:06 UTC 2016


Hi all

The ubsec and chil engines are currently disabled in 1.1.0 and do not build.

As far as ubsec is concerned I understand that this is an engine for
broadcom cards. There has been very little activity with this engine
since it was first introduced. Google brings up some very old historic
references to its use.

There are a couple of more recent references.

This post from 2014 suggests that OpenSSL's support for this is broken
anyway and has been for some while:
https://forum.pfsense.org/index.php?topic=71857.0

There is also this post from 2013 from someone trying to get it to work
but with no (apparent) success:
https://stackoverflow.com/questions/17715546/openssl-speed-test-for-broadcom-engine

So for ubsec I can't find any evidence that it is being used successfully.


For chil I found this dicussion from 2012 on openssl-users where
apparently someone was using it (successfully):
http://openssl.6102.n7.nabble.com/Tutorials-on-OpenSSL-integration-with-nCipher-HSM-nShield-td2311.html

This RT ticket from 2008 is suggesting various fixes - the last of which
was applied. There was a brief flurry of commits tweaking stuff in chil
around this time:
https://rt.openssl.org/Ticket/Display.html?id=1736


So it seems that for chil there may possibly be some rare use (but even
the most recent evidence is 4 years old). However the OpenSSL dev team
do not have access to this hardware to maintain the engine and (as noted
above) this is currently not building in 1.1.0.

In both cases I would like to remove these engines from 1.1.0. I'd like
to hear from the community if there is any active use of these. One
option if there is found to be some small scale use is to spin out the
engine into a separately managed repo (as has happened recently with the
GOST engine).

If I don't hear from anyone I will remove these.

Matt



More information about the openssl-users mailing list