[openssl-users] Anyone willing or able to rescue the Ubsec engine?

Wed Apr 20 21:34:40 UTC 2016

On 20/04/16 21:21, Vincent Bentley wrote:
> I recently started a small business and I can't afford new enterprise
> hardware just yet. However, I do make good use of older enterprise kit
> and currently have more than twenty BCM5823 crypto accelerators in use.
> I think that there may well be a lot of these cards still in use and
> it's going to be a nasty surprise for many when they update OpenSSL and
> find the performance has dropped.
> 
> I was really upset to hear that support for ubsec has already been
> pulled and I wondered if anyone else was willing or able to help keep
> support for this device in OpenSSL for two more years, to April 2018? I
> realise why the OpenSSL project wanted to drop support for old
> accelerators and I am grateful that they kept them in for so long.
> 
> I have one spare working BCM5823 and at least one BCM5821 to donate to a
> rescue effort if required. I also have one Dell PowerEdge 840 tower
> server with the necessary 64-bit PCI-X slots, 64-bit CPU for any
> developer volunteering from the UK for this rescue if needed. The PE840
> is too heavy to ship outside the UK.
> 
> I know SHA-1 is getting old but it is still a mandatory implementation
> for DNSSEC. Lots of organisations have legacy tape libraries encrypted
> in 3DES. These are just two applications where older enterprise servers
> might be found chugging away with a Broadcom accelerator inside.
> 
> Rich Salz suggested posting here to see what the response would be. I
> suspect that like me, many people that use ubsec don't subscribe to the
> openssl mailing lists and won't notice for some time.
> 
> The bad news for ubsec users:
> https://github.com/openssl/openssl/commit/766579ec893e8028288c7215090a6fa3bd424fa0

That's interesting. I did attempt to do some research on who was
actually using this and came up with nothing recent, and no-one spoke up
for the engine when it was proposed that we drop it.

The good news is that support remains within the 1.0.2 version. Since
1.0.2 is a Long Term Support release, this means that a version of
OpenSSL will support ubsec until 31st December 2019.

If you must have it work in 1.1.0 and beyond then there is no reason why
you could not support this engine yourself in an external repo and have
it work with 1.1.0. I wouldn't think it would be that hard to do. Just
extract the code in the state that it was in at the point that the above
commit removed it. You will probably need to do some tweaks to get it to
build with subsequent changes (a number of structures have gone opaque
since then which probably means some adjustments will be needed). I can
give you some pointers with what needs to be done if that is the case.
Then you just need to build it as a .so and drop it into the
OPENSSL_ENGINES directory.

Matt