From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 10:07:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F63716A4B3 for ; Wed, 22 Oct 2003 10:07:09 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FB6043FBF for ; Wed, 22 Oct 2003 10:07:08 -0700 (PDT) (envelope-from sam@errno.com) Received: from 66.127.85.91 ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id h9MH740x002102 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 22 Oct 2003 10:07:06 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Mike Tancsa , Bill Swingle , security@freebsd.org Date: Wed, 22 Oct 2003 10:08:30 -0700 User-Agent: KMail/1.5.3 References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> In-Reply-To: <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310221008.30969.sam@errno.com> X-Mailman-Approved-At: Mon, 27 Oct 2003 03:48:04 -0800 Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 17:07:09 -0000 On Wednesday 22 October 2003 07:35 am, Mike Tancsa wrote: > At 11:44 PM 21/10/2003, Mike Tancsa wrote: > >Dont know about http ssl, but I am using the cards from Soekris for my > >backup server. As long as you use 3des for encryption, it does make a big > >difference CPU wise. The next generation cards supposedly have AES and > >public key generation, but I dont think the driver will do the public key > >stuff. The safe driver says it does, but I dont know where to get such > > cards. > > Sorry, I was misspeaking about the safe driver. At the bottom, the Bugs > section says, "Public key support is not implemented." > Actually, Jason Wright took the driver and added PK support but I haven't brought the changes back to FreeBSD yet. One big problem with the safenet chips for PK is that they require polling to get the results! Needless to say this is not optimal. > I would say give the Soekris card a try. Its $80 and it will help with the > SHA1 and MD5 calcs as well as provide good RNG. It wont help with RSA key > generation unfortunately where much of the initial overhead comes from. The hifn 7955-based cards from Soekris should be available soon. I have no more info than you do other than I've worked with a prototype that was real. There are still some issues to work out in the driver but between Jason and I it should be well supported in time. The big win is that it's got AES and PK support and should be inexpensive. A Safenet-based card that does all this too should be available sometime also but I'm not sure what the product plans are for that (and no I can't say who's doing the card). Sam