Openssl is built with OPENSSL_NO_ENGINE flag

[ugochirico]

openssl is built with OPENSSL_NO_ENGINE flag. Why? I need to build it without that flag because I need to implement my engine. How can I do that?

[jasonacox]

For those wondering what this means, OpenSSL supports alternative cryptography implementations, most commonly used to interface with external cryptographic accelerator hardware.

It seems that the OPENSSL_NO_ENGINE flag shows up when trying to cross-compile to iOS and tvOS devices. I do not see this on the MacOS builds.

Looking at the OpenSSL source, this appears to be coming from the openssl Configuration for building iOS targets. Looking at OpenSSL 1.1.1d, in the file ./openssl/openssl-1.1.1d/Configurations/15-ios.conf you will notice that the Configuration disables engine.

my %targets = (
    "ios-common" => {    
        template         => 1,
        inherit_from     => [ "darwin-common" ],
        sys_id           => "iOS",
        disable          => [ "engine", "async" ],
    },

You might be able to manually edit that file and build with the static engine active (I suspect iOS won't like the dynamic engine). I'll try it and see if it works but since this is a default configuration for OpenSSL, I'm worried that it could have negative consequences.

[ugochirico]

Thanks for your help. I'm building for iOS and I need to implement a static engine. I know, OpenSSL doesn't support dynamic engine because iOS doesn't support .so but it should support static engine. The build for iOS should disable dynamic engine but enable static engine. Your configuration disables both.

As in my knowledge, this disables both: ./Configure ... -no-engine

but this one should disable the dynamic only:

./Configure ... -no-dynamic-engine

How can I set -no-dynamic-engine in your build?

[ugochirico]

I solved by changing it in this way

my %targets = (
    "ios-common" => {    
        template         => 1,
        inherit_from     => [ "darwin-common" ],
        sys_id           => "iOS",
        disable          => [ "dynamic-engine", "async" ],
    },

[jasonacox]

I could update my script to optionally sed edit that file to replace the disable "engine" with "dynamic-engine". Keep in mind that this file comes with the OpenSSL source so the OpenSSL team specifically wanted to disable engine for iOS builds. I don't know the reason for their decision but there could be unintended consequences of having engine on iOS. I can't think of any reason and would love to hear how it is working for you. Also, I would love to hear what engine you are using for iOS. :)

As a note, I was able to compile with engine and get the libraries to run successfully with the Example iOS app.

[ugochirico]

As in my knowledge, static engine can be used also in iOS. Mainly I'm writing my own engine for the new Italian identity card that supports NFC, so that the engine will provide RSA signature by sending commands to the e-id card via NFC. It's a very hard job.

Now my problem is enabling libcurl to use engines. It seems that the default build for iOS doesn't set the flag HAVE_OPENSSL_ENGINE_H so that you cannot use a custom static engine in libcurl. Do you know how to set such a flag? I'm investigating. I'll let you know my progresses.

[jasonacox]

I updated the build script to allow you to compile with engine enabled on OpenSSL for iOS using ./build.sh -e. I would be interested to know if it works for you. If you are able to tweak the build, let me know what you change so I can merge it into the build script.

[ugochirico]

Hi @jasonacox, many thanks. your update seems to work. Now, I need to build OpenSSL with the flag -enable-ssl-trace. How can I do that?

[jasonacox]

Awesome! Thanks for the feedback. For that option, you can edit the openssl-build.sh script and add flags to the Configure calls to include things like this. I added an update to include this via a variable at the top of that script and went ahead and activated enable-ssl-trace.

CUSTOMCONFIG="enable-ssl-trace"

Give it a try now and see if it works.