[openssl-users] How to make OpenSSL engine usage application specific?

Linsell, StevenX stevenx.linsell at intel.com
Tue Feb 20 13:22:20 UTC 2018


> On Mon, 19 Feb 2018 Jayalakshmi Bhat wrote:
> 
> Engine usage is application specific.There are couple of applications
> dependent on RSA TPM? engine. And are few applications dependent on
> RSA smart card engine.?
> 
> We wanted to know if there are any APIs provided by OpenSSL to make the
> engine usage application specific? Is there any way we can make OpenSSL
> chose specific engine for
> 
> specific application.
> 

I think but don't quote me that if your applications are using the openssl.cnf file to configure the
engine you are going to use, then the OPENSSL_CONF environment variable will allow you to
control the configuration file loaded by OpenSSL. This allows you to have application specific 
configuration files that load the engine you require and make it the default engine. 
This is dependent on your application having been built with OPENSSL_LOAD_CONF defined.
You can also control the config file loaded programmatically via OPENSSL_config.

The alternative is loading your engine programmatically such as nginx does:
https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L4193-L4237
and use ENGINE_set_default to make the engine you require the default for that application.
Of course that is only useful if you are in control of your applications source code.

There are more details here:
https://wiki.openssl.org/index.php/Library_Initialization
https://www.openssl.org/docs/manmaster/man5/config.html

Steve Linsell                   Intel Shannon DCG/CID Software Development Team
Stevenx.Linsell at intel.com


--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.



More information about the openssl-users mailing list