Date: Fri, 09 Apr 2004 02:37:38 -0700 From: Lev Walkin <vlm@netli.com> To: Rumen Telbizov <altares@e-card.bg> Cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator Message-ID: <40766EE2.9040708@netli.com> In-Reply-To: <20040409090705.GS293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Rumen Telbizov wrote: > Hi > > >>I can second/confirm Mike's observations here. >> >>I've got a pair of HI/FN 7951 cards which gets used by SSH if I select >>3DES, but there is no sign that Apache attempts to use it for either >>the public-key RSA/DSA crypto during HTTPS session startup, nor later >>for the symmetric crypto. > > > > Excuse my ignorance but I think it would be appropriate > to clearify the architecture of using cryptocards with > openssl. > Sorry if this has been discussed. > > I assume the following: > 1. We have an ssl library - openssl. > 2. We have a crypto card(s) installed. > 3. We have applications using > openssl functions say mod_ssl, ssh. > > If the crypto card is supported, then > openssl should be able to use its registered > functions - say 3DES. A small correction here: the main thing to accelerate in SSL is usually not a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA), where the typical application waste most of the CPU time. > If both ssh and mod_ssl use the same > library - openssl - and its functions (3DES), > how come that one application benefits > from the hardware acceleration and > the other one does not?! In order to take advantage of the underlying hardware, openssl either uses their own code for dealing with hardware, or contains a wrapper which in turn employs the vendor-provided library installed on that host (typically, a shared library which will be attached by openssl during its initialization/setting up sequence). However, as 1) the host machine may have several hardware accelerators, and/or 2) it is not generally known whether requesting application really WANTS to accelerate things, the openssl needs to be explicitly initialized by the application to take advantage of additional hardware. Typically, it may done by either specifying the type of hardware at that application's configuration level, or an application itself may contain some defaults or "use first available crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, so the fact that every application on your host use openssl does not automatically mean that they'll use the accelerators. It well may be so that one application uses one crypto card, and another one uses a completely separate one, all being on a single machine. Further reading: man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > If there are other details that I'm missing > in this picture I'll be glad to know them. > > Thank you > > Rumen Telbizov > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Lev Walkin vlm@netli.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40766EE2.9040708>