All geek questions in one place

Attach ENGINE context to SSL_CTX

I am wondering if it is possible to bind the ENGINE* implementation to the SSL_CTX* and / or SSL* structures. I want to achieve SSL_CTX* , which will be installed with the default cryptographic operations built into OpenSSL, and another SSL_CTX* , which will use the dedicated HSM as the cryptographic layer.

I can do it? From what I read, it was possible to register and set some cryptographic operations by default (random, ciphers, md, etc.), but those that were installed will be used, not built-in.

eg. EVP_CipherInit_ex has the third parameter a ENGINE* . Encryption / decryption with EVP_CIPHER_CTX* initialized in this way will handle encryption / decryption using the ENGINE implementation.

+6
source share
1 answer

From what I saw and read, you cannot. If you need to use the engine in your code, you have two options:

  • Set your engine by default and it will be used by OpenSSL for all those methods that the engine provides, for all others - built-in methods of OpenSSL will be used. This is the call you will need to use in this case:

    ENGINE_set_default (engine, ENGINE_METHOD_ALL)

  • Set your engine for several selected methods, for example. the code below will install it only for the RAND method:

    ENGINE_set_default (engine, ENGINE_METHOD_RAND)

Here you can find more examples: https://www.openssl.org/docs/manmaster/crypto/engine.html and in openssl README.ENGINE.

In other words, the engine is a global parameter, and if you want to map it to an SSL_CTX object, you will need to manually support this card.

By the way, I would be happy to be mistaken, because I need such functionality and I hope that it will be implemented in the future.

+1
source

Source: https://habr.com/ru/post/887453/

More articles:


All Articles