From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 03:10:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2A2D16A4CE for ; Fri, 9 Apr 2004 03:10:46 -0700 (PDT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD79743D41 for ; Fri, 9 Apr 2004 03:10:45 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i39ABO5k032389; Fri, 9 Apr 2004 13:11:24 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i39ABLE4032388; Fri, 9 Apr 2004 13:11:21 +0300 (EEST) Date: Fri, 9 Apr 2004 13:11:21 +0300 From: Rumen Telbizov To: Lev Walkin Message-ID: <20040409101121.GT293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40766EE2.9040708@netli.com> User-Agent: Mutt/1.4.2.1i cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 10:10:47 -0000 First of all, thank you for your reply! > >If the crypto card is supported, then > >openssl should be able to use its registered > >functions - say 3DES. > > A small correction here: the main thing to accelerate in SSL is usually not > a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA), > where the typical application waste most of the CPU time. Absolutely !!! > >If both ssh and mod_ssl use the same > >library - openssl - and its functions (3DES), > >how come that one application benefits > >from the hardware acceleration and > >the other one does not?! > > In order to take advantage of the underlying hardware, openssl > either uses their own code for dealing with hardware, or contains > a wrapper which in turn employs the vendor-provided library installed > on that host (typically, a shared library which will be attached by openssl > during its initialization/setting up sequence). > > However, as > 1) the host machine may have several hardware accelerators, and/or > 2) it is not generally known whether requesting application really > WANTS to accelerate things, > the openssl needs to be explicitly initialized by the application to > take advantage of additional hardware. Typically, it may done by either > specifying the type of hardware at that application's configuration level, > or an application itself may contain some defaults or "use first available > crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, > so the fact that every application on your host use openssl does not > automatically mean that they'll use the accelerators. It well may be so that > one application uses one crypto card, and another one uses a completely > separate one, all being on a single machine. Thanks. I didn't know that. So it seems that mod_ssl does NOT tell the openssl to try to use ANY of the crypto cards right? What possible may be the reason that one application would not want to use the hardware acceleration!? To leave resourses for other? I couldn't find any options for mod_ssl to enable usage of crypto cards anyway. > > Further reading: > > man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe Thanks Rumen Telbizov