[openssl-users] Multiple client connection to Nginx server

ASHIQUE CK ckashiquekvk at gmail.com
Wed Dec 12 14:53:11 UTC 2018

Thanks for your reply.
Openssl only passes (ctx,type,arg,ptr) in the case of header and
(ctx,out,in,inl) in the case of message, these two are the only links to
engine after the handshake process for the whole process. In my case, I am
downloading a file from nginx root directory using a client program. How
can I get a unique id, so that I can copy the respective Key and Iv
everytime when a sslwrite request comes from a client with that id. Because
I am trying to run 3 clients simultaneously for downloading a file. I am
able to download only at one client ,the last connected one, and other two
shows that tag verification failed. Because both those connections got the
same key and Iv of the last connection.
   So for every client connection, is there any way to get a unique id so
that i can load respective Key and Iv. But the only link from openssl to
the engine are the above mentioned two cases. Only what I am getting some
other information is from *ctx*. Can I do something with that *ctx *get
unique id.


On Wed 12 Dec, 2018, 7:56 PM Jakob Bohm via openssl-users <
openssl-users at openssl.org wrote:

> On 12/12/2018 12:54, ASHIQUE CK wrote:
> > Hi,
> > Any help on this ?
> >
> > On Wed, Dec 12, 2018 at 3:03 PM ASHIQUE CK <ckashiquekvk at gmail.com
> > <mailto:ckashiquekvk at gmail.com>> wrote:
> >
> >     Hi,
> >     We are using a Crypto Accelerator Engine to offload AESGCM and RSA
> >     parameters. Trying to connect multiple clients simultaneously with
> >     a single Nginx server, which is using this accelerator.  The Key
> >     and IV is passing only at handshake, and after handshake this set
> >     of key and IV is using for all encryption and decryption. So at
> >     Engine side, we are storing this Key and IV to a buffer and while
> >     encrypting/decrypting , this Key and IV is used from this buffer.
> >     But, while multiple client connects, the last saved Key/IV is
> >     getting for all clients.
> >             So, is there any way to get a unique ID foer each client
> >     connection ?
> >
> >
> The following assumes that the accelerator is accessed using an
> OpenSSL "engine" plugin, if instead you are inserting code in NGINX
> to hand over the complete SSL/TLS record processing to the hardware,
> then a different approach is needed.
> OpenSSL Crypto Engines are not limited to SSL/TLS but can be used
> for other tasks using the OpenSSL libcrypto library.
> Thus the way this works is that the SSL/TLS requests an EVP "handle"
> for each key that it wants to use, this handle then maps (indirectly)
> to a structure passed to the engine, which is unique to each key.
> A correctly implemented engine is supposed to use that structure to
> tell the difference between different keys stored in the actual
> hardware.
> For the case of GCM key/IV pairs, it may be that in some situations
> OpenSSL requests more than one EVP key instance for the same key,
> typically to allow each to have its own independent state (for GCM,
> this is the counter, for CBC it would be the IV chaining from block
> to block).  The simple solution is to just treat them as different
> keys, but if this uses too many hardware key storage locations, an
> engine may use some way to recognize the reused key, share the
> hardware object and keep count of how many "handles" point to that
> key.
> Enjoy
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181212/3aeb4f6c/attachment.html>

More information about the openssl-users mailing list