From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 02:36:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4274116A4CE for ; Fri, 9 Apr 2004 02:36:30 -0700 (PDT) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE27343D48 for ; Fri, 9 Apr 2004 02:36:29 -0700 (PDT) (envelope-from vlm@netli.com) Received: (qmail 24051 invoked by uid 84); 9 Apr 2004 09:36:30 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.183761 secs); 09 Apr 2004 09:36:30 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 9 Apr 2004 09:36:29 -0000 Message-ID: <40766EE2.9040708@netli.com> Date: Fri, 09 Apr 2004 02:37:38 -0700 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Rumen Telbizov References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> In-Reply-To: <20040409090705.GS293@e-card.bg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 09:36:30 -0000 Rumen Telbizov wrote: > Hi > > >>I can second/confirm Mike's observations here. >> >>I've got a pair of HI/FN 7951 cards which gets used by SSH if I select >>3DES, but there is no sign that Apache attempts to use it for either >>the public-key RSA/DSA crypto during HTTPS session startup, nor later >>for the symmetric crypto. > > > > Excuse my ignorance but I think it would be appropriate > to clearify the architecture of using cryptocards with > openssl. > Sorry if this has been discussed. > > I assume the following: > 1. We have an ssl library - openssl. > 2. We have a crypto card(s) installed. > 3. We have applications using > openssl functions say mod_ssl, ssh. > > If the crypto card is supported, then > openssl should be able to use its registered > functions - say 3DES. A small correction here: the main thing to accelerate in SSL is usually not a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA), where the typical application waste most of the CPU time. > If both ssh and mod_ssl use the same > library - openssl - and its functions (3DES), > how come that one application benefits > from the hardware acceleration and > the other one does not?! In order to take advantage of the underlying hardware, openssl either uses their own code for dealing with hardware, or contains a wrapper which in turn employs the vendor-provided library installed on that host (typically, a shared library which will be attached by openssl during its initialization/setting up sequence). However, as 1) the host machine may have several hardware accelerators, and/or 2) it is not generally known whether requesting application really WANTS to accelerate things, the openssl needs to be explicitly initialized by the application to take advantage of additional hardware. Typically, it may done by either specifying the type of hardware at that application's configuration level, or an application itself may contain some defaults or "use first available crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, so the fact that every application on your host use openssl does not automatically mean that they'll use the accelerators. It well may be so that one application uses one crypto card, and another one uses a completely separate one, all being on a single machine. Further reading: man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > If there are other details that I'm missing > in this picture I'll be glad to know them. > > Thank you > > Rumen Telbizov > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Lev Walkin vlm@netli.com