[openssl-dev] how to static compile ssl engine into openssl

Tue Sep 26 14:00:40 UTC 2017

On 26/09/2017, Levitte, Richard via openssl-dev wrote:
> 
> chengwenping1> I?m working on accelerating ssl traffic with Intel QAT
> chengwenping1> card, now openssl 1.1.0f is integrated into Nginx, so I
> chengwenping1> need to static compile Intel QAT engine into openssl, and
> chengwenping1> I do not find some useful info about it from Internet,
> chengwenping1> although openssl-1.1.0f/engines/ build.info, it is not
> chengwenping1> applicable from QAT engine from
> chengwenping1> https://github.com/01org/QAT_Engine. Is there a guide
> chengwenping1> line for this case?
> 
> Unforatunately, there is no such guide that I know of.  I just had a look in
> e_qat.c, and there seems to be support for doing that there (see the
> sections guarded by OPENSSL_NO_DYNAMIC_ENGINES), but I can't see any
> way to make use of that in their configuration.
> 
> If this is what you really want, I suggest you create an issue in the
> QAT_Engine project...  but you probably need to understand that you may
> not get what you want, and if you do, it's probably going to be an
> unsupported hack.

I can confirm that the Intel Quickassist Technology(QAT) OpenSSL Engine 
does not support compiling as a static engine against OpenSSL 1.1.0f.
As Richard observed there is some legacy code remaining in the engine 
that would allow it to work as a static engine, but if you wanted to build
that way you would need to make modifications to the OpenSSL build
system to compile in the engine and then some further code changes 
for it to use the engine. We purposely left that code in the engine from
the previous OpenSSL 1.0.1 engine just in case someone needed a static
build but it is untested again OpenSSL 1.1.0.
There was a discussion around the feasibility of adding the QAT Engine 
to the OpenSSL project the other year but it is OpenSSL's direction not to 
accept new hardware engines into the project as the burden of needing
specific hardware and expertise to maintain those engines is too great.   
Without the engine being part of the main OpenSSL project it is not really 
feasible to have a static engine as we would need to maintain some sort
of OpenSSL patch to make everything work together. 

Steve Linsell                         Intel Shannon DCG/CID Software Development Team
Stevenx.Linsell at intel.com

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263

This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.