[openssl-users] [openssl-dev] Ubsec and Chil engines

Sat Feb 20 21:55:41 UTC 2016

In message <5B8F45EA-5867-4832-916A-6B31A323A59C at temme.net> on Sat, 20 Feb 2016 12:40:38 -0800, Sander Temme <sander at temme.net> said:

sander> 
sander> > On Feb 19, 2016, at 3:31 AM, Matt Caswell <matt at openssl.org> wrote:
sander> 
sander> OK that made our support lines blow up so yes there is interest.
sander> 
sander> Disclaimer: I work for Thales but do not speak for Thales.
sander> 
sander> > So it seems that for chil there may possibly be some rare use (but even
sander> > the most recent evidence is 4 years old). However the OpenSSL dev team
sander> > do not have access to this hardware to maintain the engine and (as noted
sander> > above) this is currently not building in 1.1.0.
sander> 
sander> I think (again, personal impression) that this is one of those
sander> sleeper integrations that a lot of people use but doesn’t get
sander> on the radar a whole lot. Using openssl is by far the easiest
sander> way to get the nShield HSM to do something with protected
sander> keys… as long as those are RSA keys.  Pair that with existing
sander> application integrations like Apache, OpenSSH, etc. I know of
sander> a number of customers and partners, none of whom I am at
sander> liberty to discuss (although they might speak up for
sander> themselves), who use OpenSSL with nShield for various
sander> applications.

Oh, nShield?  Back when I was playing with e_chil.c, it was nCipher.
But, no matter really...

sander> So it’s not dead.  What it does, it does very well.  If
sander> anything, the lack of visible activity may indicate how easy
sander> CHIL is to use and support.

The trouble is that we can't verify that.  We don't have the hardware
or the expertise.  Even the few of us that got to play with a nCipher
box 15+ years ago don't have that around any more.  So there's that
pile of code that no one dares to touch because we have no idea what
the effects might be and have no way of testing that.

With all that in mind, I've a question back to you...  wouldn't it be
more productive if Thales let an OpenSSL engine, built as a DSO,
accompany the hardware?  Considering you are much closer to the
hardware and the expertise, it seems a bit more appropriate, doesn't
it?

sander> What I would like to see though is for such a PKCS#11 Engine
sander> to be part of OpenSSL proper, so that our customers and
sander> everyone else’s don’t have to go hunt hither and yon for bits
sander> and bobs of software in order to make their hardware kit work
sander> with OpenSSL.  How would OpenSSL obtain a PKCS#11 Engine to
sander> include in its distribution?

I'm not sure if this is a problem specifically for OpenSSL to solve,
or if it is a packager problem.  Sometimes, the border between the two
might be blurry, but...  If OpenSSL is to "obtain" a PKCS#11 engine,
it would probably be by writing one.  It would be far easier, though,
if someone would package the already existing engine_pkcs11 with
OpenSSL (that packaging doesn't have to be done by the OpenSSL team),
*or* with hardware distributions.

Cheers,
Richard

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/