Sun Crypto Accelerator Board 1: How to get it working with OpenSSL

The Sun Crypto Accelerator Board 1 is a PCI based board that is used to accelerate public key cryptography, used during the establishment of SSL connections to web servers.

Sun provide a set of patches against OpenSSL 0.9.4. This version was released quite some time ago, and does not support the notion of SGC, or Server Gated Cryptptography. SGC, also called SuperCerts, Global Server Certs, or Step-Up Cryptography, permits the (now venerable) Export Grade browsers to renegotiate their cryptgraphy sterngth with certain web sites that have special extended certificate usage flags set within their signed web site certificate.

While Sun’s patches do work against OpenSSL 0.9.4, and thus permit you to run Apache + ModSSL + OpenSSL, you wont be able to do SGC.

The Sun card is a rebadged Rainbow CS-200 card. It has a little LED on the PCI card to indicate that it is on (green) and when it is doing crypto (orange).

The next important thing to know is what the card can accelerate for you. Doing SSL to a web site actually uses two different types of cryptography. The inital is a public key exchange; this is because this is the only feaible way of doing public encryption without a shared secret. After this has been done, we THEN use a shared secret: symmetric key encryption.

The Sun Crypto Accelerator Board 1 will only help you with one part of the encryption: the public key stuff. Once a symmetric key has been passwd between both parties, it is not used on this connection any more. Furthermore, if you have a SSLSessionCache set up, this symmetric key is saved between subsequent connections. So using your own browser and trying to see if the Crypto Card is helping will actually not show you anything; every time you re-test and reload a page, you will be using the saved SSL Sesscion Cache symmetric key, not renegotiating a new session key! For testing purposes, disable this, but for production use, turn it on.

Testing the card with software: Rainbow supply a utility called csdiag, and Sun have something similar called cstest. These utilities show you the number of interrupts and request that have been routed to the PCI card. Unfortunately, the act of inspecting the interrupts on the card actually increases these interrupts, similar to the problems of quantum mechanics and the law of observability; the act of observing changes the state. This known change must be taken into consideration when using these programs.

The card works by using a kernel resident driver, cspci. Under Solaris, you can find if it is in memory with modinfo |grep cspci. There is also a library of code that is used, Rainbow supply, and Sun supply However, more importantly, Rainbow puts this in /usr/local, while Sun uses /opt/SUNWconn/sunsecure/lib. The first one is part of your LD_LIBRARY_PATH, and the second is not. The solution is a simple symbolic link from /usr/lib/ to the same name as supplied by Sun in /opt….

I have done this with OpenSSL-Engine-0.9.6b, which is the current release as of this writing. No modifications to the OpenSSL code were required. No modifications to Apache or Mod_SSL were required, other than enabling the EXPERIMENTAL code. The simple check list boils down to:

  • Make sure there is a /usr/lib/
  • Turn off SSLSessionCache for testing to see the counters go up and the orange LED come on.

The broader question of what advantage this proves is yet to be seen. There are known issues with some OpenSSL functionality (eg, “openssl speed rsa -engine cswift” does not work correctly). As to Web SSL (HTTPS) connections: since you have a session cache, and are doing symmetric key encryption on your main CPU any way, it is only a small part that is being off loaded. As to how expensive this part is, I don’t know.

I hope this helps someone else who is in this situation. Thanks goes to Ros at Rainbow and Mike Tan at Sun for their help in getting this sorted. Thanks also to Todd Piket (and his OpenSSL + Crypto Board stats page, plus the people of the Mod-SSL and OpenSSL mailing lists.

FYI, the information I get from cstest from Sun now is:

$ ./cstest
"             API Version: 5.2.2
""          Driver Version: 2.1.3
""            Accelerators: 1
""          Command Bitmap: 7f000000
""     Interrupts Serviced: 47498
""     Interrupts Received: 47498
""      Requests Attempted: 47497
""      Requests Completed: 47497
""Maximum Pending Requests: 1
""Current Pending Requests: 0
""      Accelerator #: 0
""          Last Test: 0
""   Self Test Bitmap: 00000000
""     Command Bitmap: 7f000000
""   Hardware Version: 108e:61.14.7
""   Firmware Version: 2.2.2
""          Signature: 6f3beadd
""Interrupts Serviced: 47499
""Interrupts Received: 47499
"" Requests Attempted: 47498
"" Requests Completed: 47498
""          Idle Time: 0
""               Name: Sun Crypto Accelerator
""       BIOS Version: 0.0.0