Re: OpenSSL ENGINE 2nd version
Date: Mon, 17 Dec 2001 20:57:29 +0100
Daniel Stenberg wrote:
> On Mon, 17 Dec 2001, Götz Babin-Ebell wrote:
> Hey again! ;-)
> While applying your patch and reading the new code, I stumbled over this
> (again) and I really can't see the use case for these two:
> It sets the engine to use in the curl handle for the upcoming SSL
> connection. Fine.
> Now, this sets the default engine. Default for what? For all SSL sessions
> Does this mean that if we use both these options, we don't have to set any of
> them in the next one and it'll automaticly use the ENGINE anyway?
The difference is:
* CURLOPT_SSLENGINE sets the crypto engine for the private key used in
You have to set it for every CURL object you use.
* CURLOPT_SSLENGINE_DEFAULT sets the crypto engine for all other
(mostly asymetric) operations.
> I understand we're not to blame for silly OpenSSL design decisions (that sets
> global things for a library!), but if we have the CURLOPT_SSLENGINE set for
> the handle, why would we ever use the CURLOPT_SSLENGINE_DEFAULT?
To use CURLOPT_SSLENGINE_DEFAULT is good for two reasons:
* asymetric cryptography (especially RSA) requires calculations with
of some hundred bit lengths. Normal processors are not build for such
On the other hand is a cryptography module specially designed to do
operations. This not neccessarily means that a cryptographic module
allways accelerates a single handshake (transfering the data to the
some overhead...) but is especially usefull on a heavy loaded server,
it frees the processor to do other tasks...
* Professional cryptography modules (exception: chip cards) come with a
(hardware) source of random data. And this is something you need in
Normal computer don't have hardware random generators, they calculate
data from internal system states (if they provide a random pool at
The reason why chip cards normally have very slow random generators is
(hardware) random generator needs some (electrical) power that is not
in a chip card.
-- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature