Date: Fri, 09 Apr 2004 03:25:38 -0700 From: Lev Walkin <vlm@netli.com> To: Rumen Telbizov <altares@e-card.bg> Cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator Message-ID: <40767A22.7020900@netli.com> In-Reply-To: <20040409101121.GT293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com> <20040409101121.GT293@e-card.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Rumen Telbizov wrote: > >>>If both ssh and mod_ssl use the same >>>library - openssl - and its functions (3DES), >>>how come that one application benefits >> >>>from the hardware acceleration and >> >>>the other one does not?! >> >>In order to take advantage of the underlying hardware, openssl >>either uses their own code for dealing with hardware, or contains >>a wrapper which in turn employs the vendor-provided library installed >>on that host (typically, a shared library which will be attached by openssl >>during its initialization/setting up sequence). >> >>However, as >> 1) the host machine may have several hardware accelerators, and/or >> 2) it is not generally known whether requesting application really >> WANTS to accelerate things, >>the openssl needs to be explicitly initialized by the application to >>take advantage of additional hardware. Typically, it may done by either >>specifying the type of hardware at that application's configuration level, >>or an application itself may contain some defaults or "use first available >>crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, >>so the fact that every application on your host use openssl does not >>automatically mean that they'll use the accelerators. It well may be so that >>one application uses one crypto card, and another one uses a completely >>separate one, all being on a single machine. > > > Thanks. I didn't know that. > So it seems that mod_ssl does NOT tell the openssl to try to > use ANY of the crypto cards right? What possible may be > the reason that one application would not want to use > the hardware acceleration!? To leave resourses for other? > > I couldn't find any options for mod_ssl to enable > usage of crypto cards anyway. Option names are: for www/apache13-ssl port: SSLEngineID for www/apache13-modssl: SSLCryptoDevice By the way, Google is very helpful in finding the SSLEngineID. It shows over four documents in return %-) >>Further reading: >> >>man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > > Thanks > > Rumen Telbizov -- Lev Walkin vlm@netli.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40767A22.7020900>