Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Apr 2004 13:11:21 +0300
From:      Rumen Telbizov <altares@e-card.bg>
To:        Lev Walkin <vlm@netli.com>
Cc:        security@freebsd.org
Subject:   Re: recommended SSL-friendly crypto accelerator
Message-ID:  <20040409101121.GT293@e-card.bg>
In-Reply-To: <40766EE2.9040708@netli.com>
References:  <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com>

next in thread | previous in thread | raw e-mail | index | archive | help
First of all, thank you for your reply!


> >If the crypto card is supported, then 
> >openssl should be able to use its registered
> >functions - say 3DES.
> 
> A small correction here: the main thing to accelerate in SSL is usually not
> a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA),
> where the typical application waste most of the CPU time.

Absolutely !!!

 
> >If both ssh and mod_ssl use the same
> >library - openssl - and its functions (3DES),
> >how come that one application benefits
> >from the hardware acceleration and
> >the other one does not?!
> 
> In order to take advantage of the underlying hardware, openssl
> either uses their own code for dealing with hardware, or contains
> a wrapper which in turn employs the vendor-provided library installed
> on that host (typically, a shared library which will be attached by openssl
> during its initialization/setting up sequence).
> 
> However, as
> 	1) the host machine may have several hardware accelerators, and/or
> 	2) it is not generally known whether requesting application really  
> 	WANTS to accelerate things,
> the openssl needs to be explicitly initialized by the application to
> take advantage of additional hardware. Typically, it may done by either
> specifying the type of hardware at that application's configuration level,
> or an application itself may contain some defaults or "use first available
> crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION,
> so the fact that every application on your host use openssl does not
> automatically mean that they'll use the accelerators. It well may be so that
> one application uses one crypto card, and another one uses a completely
> separate one, all being on a single machine.

Thanks. I didn't know that.
So it seems that mod_ssl does NOT tell the openssl to try to
use ANY of the crypto cards right? What possible may be
the reason that one application would not want to use
the hardware acceleration!? To leave resourses for other?

I couldn't find any options for mod_ssl to enable
usage of crypto cards anyway.


> 
> Further reading:
> 
> man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe
Thanks

Rumen Telbizov



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040409101121.GT293>