Offloading Yarp crypto operations to OpenSSL dynamic engines. Is that possible?

[JEduCB]

Assuming I have a well-configured OpenSSL Engine in my Linux Ubuntu 20.04.5 system - openssl engine and openssl ... commands (and the engine logs) show me it's available and working.

And this is my /etc/ssl/openssl.conf config file (based on dotnet/runtime#36938 (comment)):

openssl_conf = openssl_init

[ openssl_init ]
engines = engine_section

[ engine_section ]
X = X_section

[ X_section ]
engine_id = X_engine
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/X_engine.so

default_algorithms = ALL
init = 1

So, considering the engine is working, if I implement a HTTPS proxy server using Yarp, may I assume the .net/OpenSSL stack would automatically offload crypto requests to the OpenSSL Engine?

If not, how can I configure Yarp to do that?
Could I do that by config files (like appsettings.json i.e.) or would it required additional code to load the engine dynamically?
Is that offloading even possible?

Thanks

# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"

# dotnet --list-sdks
3.1.425 [/usr/share/dotnet/sdk]
6.0.403 [/usr/share/dotnet/sdk]
7.0.100 [/usr/share/dotnet/sdk]

# dotnet --list-runtimes
Microsoft.AspNetCore.App 3.1.31 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.11 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.0 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.31 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.11 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.0 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

[MihaZupan]

cc: @wfurt

[wfurt]

There is no setting for engines or other HW in .NET. And we certainly don't have any test coverage. dotnet/runtime#37383 is still open but it may work if the initialization is done by openssl itself.
I'm planning to take closer look at dotnet/runtime#66224 and perhaps engines as well for 8.0

My suggestion would be to create simple app with SslStream and give it try. When you look at the operations with strace it should be clear. You can also create self-contained app (to limit noise) and do LD_DEBUG=libs maApp. That would show you what libraries are loaded and you can check if the engine is there.
You can also run https://github.com/dotnet/performance and see if there is difference. I would be curious to see any numbers.

[JEduCB]

Thanks for the quick reply and comments @wfurt

I'll give that a try and see what I get. For some reason, with the above openssl.cnf settings all tests that I've run (openssl itself, wget, curl, i.e.) offload crypto requests to the engine, except dotnet.

LD_DEBUG=libs is definitely a good start. Thanks.

[wfurt]

cc: @bartonjs in case he has some more insight. Getting hands on some HW is on my TODO list.

[JEduCB]

Well, I did these tests and notice some issues with dotnet.

First, I ran this command:

$ LD_DEBUG=libs openssl speed rsa2048

and looked for libssl and libcrypto in the results. Found no issues:

     26775:	find library=libssl.so.1.1 [0]; searching
     26775:	  trying file=/lib/x86_64-linux-gnu/libssl.so.1.1
     26775:	calling init: /lib/x86_64-linux-gnu/libssl.so.1.1
     26775:	calling fini: /lib/x86_64-linux-gnu/libssl.so.1.1 [0]

     26775:	find library=libcrypto.so.1.1 [0]; searching
     26775:	  trying file=/lib/x86_64-linux-gnu/libcrypto.so.1.1
     26775:	calling init: /lib/x86_64-linux-gnu/libcrypto.so.1.1
     26775:	calling fini: /lib/x86_64-linux-gnu/libcrypto.so.1.1 [0]

Then I get this simple program and ran it: $ LD_DEBUG=libs ./TLSTest bing.com

using System.Diagnostics;
using System.Net.Security;
using System.Net.Sockets;

namespace TLSTest
{
    public static class Program
    {
        public static async Task Main(string[] args)
        {
            if(args.Length == 0)
            {
                Console.WriteLine("Use: TLSTTest host_name");
                return;
            }

            Stopwatch stopwatch = Stopwatch.StartNew();
            var targetHost = args[0];

            Console.WriteLine($"Testing {targetHost}");
            using TcpClient tcpClient = new TcpClient();
            await tcpClient.ConnectAsync(targetHost, 443);
            using SslStream sslStream = new SslStream(tcpClient.GetStream());

            try
            {
                await sslStream.AuthenticateAsClientAsync(targetHost);
                await Console.Out.WriteLineAsync($"Connected to {targetHost} with {sslStream.SslProtocol}");
                await Console.Out.WriteLineAsync($"Elapsed time = {stopwatch.ElapsedMilliseconds}");            
            }
            catch(Exception Ex)
            {
                Console.WriteLine($"Exception = {Ex.Message}\n\nHResult = {Ex.HResult}\n\nInner Exception = {Ex.InnerException}");
            }
        }
    }
}

Output

Testing bing.com
Connected to bing.com with Tls12
Elapsed time = 239

Looked again for both libssl and libcrypto. libcrypto produced the same result as above, but libssl presented issues:

     27233:	find library=libssl.so.3 [0]; searching
     27233:	  trying file=/lib/x86_64-linux-gnu/libssl.so.3
     27233:	  trying file=/usr/lib/x86_64-linux-gnu/libssl.so.3
     27233:	  trying file=/lib/libssl.so.3
     27233:	  trying file=/usr/lib/libssl.so.3
     27233:	find library=libssl.so.1.1 [0]; searching
     27233:	  trying file=/lib/x86_64-linux-gnu/libssl.so.1.1
     27233:	calling init: /lib/x86_64-linux-gnu/libssl.so.1.1
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: SSL_state (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: ERR_new (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: ERR_set_debug (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: ERR_set_error (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_CIPHER_get_nid (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_MD_get_size (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_CTX_set_rsa_keygen_bits (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_CTX_set_rsa_oaep_md (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_CTX_set_rsa_padding (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_CTX_set_rsa_pss_saltlen (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_CTX_set_signature_md (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_get_base_id (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: EVP_PKEY_get_size (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: OSSL_PROVIDER_try_load (fatal)
     27233:	/lib/x86_64-linux-gnu/libssl.so.1.1: error: symbol lookup error: undefined symbol: SSL_get1_peer_certificate (fatal)
     27233:	calling fini: /lib/x86_64-linux-gnu/libssl.so.1.1 [0]

These tests were run with no OpenSSL Engine configured; and since dotnet is producing these errors when trying to load OpenSSL, that might be the root cause for the engine to fail loading when configured.

Any ideas?

OpenSSL

$ openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Jul  4 11:24:28 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-51ig8V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

[wfurt]

That is not necessarily problem as the SslStream works. Since the .NET is trying to work agains different OpenSSL version is tries to load various symbols to see what is available. So it may tried to load something that is not present but it should not matter.

[JEduCB]

Hi @wfurt

That makes sense. In either case, I repeated all the above tests, this time enabling the engine. Again, openssl loaded all the libs with no errors, including the engine libs. The dotnet sample presented the same issues as above loading libssl.so.1.1, and additionally also presented errors loading the engine lib.

After googling similar loading issues, I found a simple solution: LD_PRELOAD=/lib/x86_64-linux-gnu/libssl.so.1.1:/lib/x86_64-linux-gnu/libcrypto.so.1.1 :)

Using LD_PRELOAD still didn't fix all the libssl.so.1.1 loading issues, but it fixed the engine libs loadings, and that is enough for me to keep working in my experiment since now the engine is working as expected.

Thanks for taking the time for answering my questions and comments.

Cheers.

[wfurt]

The interesting question is if you see differences in loading and using the engine.

[JEduCB]

Will answer that as soon as I get some data and after tuning BIOS and engine settings for best performance :)