Author: james

I purchased a Toshiba PocketPC e570 PDA in June 2002. This device is a little bulky, but had the advantage of a CF (Compact Flash) port and a secure media port.

My hopes where to be able to send and recieve emails (plain text is fine), and be able to print (via IRDA).

While printing does work, it is not a part of the default suite of programs available. You have to shell out more money to 3rd party developers to get this support working. Looks like Toshiba, or Microsoft, took shortcuts. I was trying to print to a Hewlet Packard LaserJet 2100 M, and HP’s web site directed me to get drivers from my manufacturer, Toshiba. Toshiba’s PocketPC web site is completely fucking useless. There entire support structure is geared *away* from these products. Their staff reject and disencourage PocketPC support questions. Aghhh!

Luckily, their telephone support does exist. Place a call and save time. While you’re there, ask to speak to a manager, and tell them that in place of wasting their time right now, you could be helping yourself to the information you are after if they put some effort into their web site!

Ho hum. Lets move on. Printing. Looks like the 3rd party software is at fieldsoftware.com. The product is called PrintPocketCE, and while a little sliggish on some redraws, it does work under PocketPC 2002 quite well. Well done FS. A 30 day trial is availale, and the software is around US$39 or so.

Back to getting data in and out of the device. I got a belkin 802.11b wireless CF card. I can cruise around my network; I can see it DHCP, and I can use the built-in IE browser to look at HTTP and HTTPS web sites. I havent forced it yet, but using a specific proxy with HTTPS would be nice; if people are going to use wireless, doing a bit extra to help secure it at an application layer is nice.

And it is security that brings me to my next issue. For me, email is either accessed locally on a server, or via IMAPS. IMAPS is like IMAP, except over SSL. If I am going to have passwords fly around the network, I like them to be encrypted in transit! However, the ‘INBOX’ client that comes with PocketPC 2002 seems to be too cut down, only supporting unencrypted POP3 and IMAPv4. There is no SSL support here. This is pretty important. It seems there are no Mail User Agents (MUA) for the PocketPC that support IMAPS. Fr me. this greatly hinders the use of the product.

The Sun Crypto Accelerator Board 1 is a PCI based board that is used to accelerate public key cryptography, used during the establishment of SSL connections to web servers.

Sun provide a set of patches against OpenSSL 0.9.4. This version was released quite some time ago, and does not support the notion of SGC, or Server Gated Cryptptography. SGC, also called SuperCerts, Global Server Certs, or Step-Up Cryptography, permits the (now venerable) Export Grade browsers to renegotiate their cryptgraphy sterngth with certain web sites that have special extended certificate usage flags set within their signed web site certificate.

While Sun’s patches do work against OpenSSL 0.9.4, and thus permit you to run Apache + ModSSL + OpenSSL, you wont be able to do SGC.

The Sun card is a rebadged Rainbow CS-200 card. It has a little LED on the PCI card to indicate that it is on (green) and when it is doing crypto (orange).

The next important thing to know is what the card can accelerate for you. Doing SSL to a web site actually uses two different types of cryptography. The inital is a public key exchange; this is because this is the only feaible way of doing public encryption without a shared secret. After this has been done, we THEN use a shared secret: symmetric key encryption.

The Sun Crypto Accelerator Board 1 will only help you with one part of the encryption: the public key stuff. Once a symmetric key has been passwd between both parties, it is not used on this connection any more. Furthermore, if you have a SSLSessionCache set up, this symmetric key is saved between subsequent connections. So using your own browser and trying to see if the Crypto Card is helping will actually not show you anything; every time you re-test and reload a page, you will be using the saved SSL Sesscion Cache symmetric key, not renegotiating a new session key! For testing purposes, disable this, but for production use, turn it on.

Testing the card with software: Rainbow supply a utility called csdiag, and Sun have something similar called cstest. These utilities show you the number of interrupts and request that have been routed to the PCI card. Unfortunately, the act of inspecting the interrupts on the card actually increases these interrupts, similar to the problems of quantum mechanics and the law of observability; the act of observing changes the state. This known change must be taken into consideration when using these programs.

The card works by using a kernel resident driver, cspci. Under Solaris, you can find if it is in memory with modinfo |grep cspci. There is also a library of code that is used, libcswift.so. Rainbow supply libcswift.so.5.0.2, and Sun supply libcswift.so.5.2.2. However, more importantly, Rainbow puts this in /usr/local, while Sun uses /opt/SUNWconn/sunsecure/lib. The first one is part of your LD_LIBRARY_PATH, and the second is not. The solution is a simple symbolic link from /usr/lib/libcswift.so to the same name as supplied by Sun in /opt….

I have done this with OpenSSL-Engine-0.9.6b, which is the current release as of this writing. No modifications to the OpenSSL code were required. No modifications to Apache or Mod_SSL were required, other than enabling the EXPERIMENTAL code. The simple check list boils down to:

• Make sure there is a /usr/lib/libcswift.so
• Turn off SSLSessionCache for testing to see the counters go up and the orange LED come on.

The broader question of what advantage this proves is yet to be seen. There are known issues with some OpenSSL functionality (eg, “openssl speed rsa -engine cswift” does not work correctly). As to Web SSL (HTTPS) connections: since you have a session cache, and are doing symmetric key encryption on your main CPU any way, it is only a small part that is being off loaded. As to how expensive this part is, I don’t know.

I hope this helps someone else who is in this situation. Thanks goes to Ros at Rainbow and Mike Tan at Sun for their help in getting this sorted. Thanks also to Todd Piket (and his OpenSSL + Crypto Board stats page, plus the people of the Mod-SSL and OpenSSL mailing lists.

FYI, the information I get from cstest from Sun now is:

$ ./cstest
"             API Version: 5.2.2
""          Driver Version: 2.1.3
""            Accelerators: 1
""          Command Bitmap: 7f000000
""     Interrupts Serviced: 47498
""     Interrupts Received: 47498
""      Requests Attempted: 47497
""      Requests Completed: 47497
""Maximum Pending Requests: 1
""Current Pending Requests: 0
""
""      Accelerator #: 0
""          Last Test: 0
""   Self Test Bitmap: 00000000
""     Command Bitmap: 7f000000
""   Hardware Version: 108e:61.14.7
""   Firmware Version: 2.2.2
""          Signature: 6f3beadd
""Interrupts Serviced: 47499
""Interrupts Received: 47499
"" Requests Attempted: 47498
"" Requests Completed: 47498
""          Idle Time: 0
""               Name: Sun Crypto Accelerator
""       BIOS Version: 0.0.0
""