Attach an ENGINE context to a SSL_CTX

Question

I am wondering if there is a possibility to attach an ENGINE* implementation to a SSL_CTX* and/or SSL* structures. What I want to achieve is to have a SSL_CTX* that will be set with the default cryptographic operations builtin in OpenSSL and another SSL_CTX* that will use a dedicated HSM as the crypto layer.

Is a way that I can achieve this? From what I've read one could register and set to default some cryptographic operations(random, ciphers, md, etc...) but those that have been set will be used and not the builtin ones.

e.g. EVP_CipherInit_ex has its third parameter an ENGINE*. Encryption/Decryption with EVP_CIPHER_CTX* initialized this way will process the encryption/decryption via the ENGINE implementation.

Answer 1

From what I've seen and read, you can't. If you need to use an engine in your code, you have two options:

1. Set your engine as a default and it will be used by OpenSSL for all those methods that the engine provides, for all others - OpenSSL built in methods will be used. This is the call that you would need to use in this case:

   ENGINE_set_default(engine, ENGINE_METHOD_ALL)

2. Set your engine for a few chosen methods, e.g. code below will set it up for the method RAND only:

   ENGINE_set_default(engine, ENGINE_METHOD_RAND)

You can find more examples here: https://www.openssl.org/docs/manmaster/crypto/engine.html and in openssl's README.ENGINE.

In other words, engine is a global setting and if you want to map it to an SSL_CTX object, you would need to maintain that map manually.

BTW, I would be glad to be proven wrong, because I need this kind of functionality myself and hope that it will be implemented in the future.