Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Apr 2004 11:26:38 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Michael W. Lucas" <mwlucas@blackhelicopters.org>
Cc:        security@freebsd.org
Subject:   Re: recommended SSL-friendly crypto accelerator 
Message-ID:  <6.0.3.0.0.20040408112048.07218a00@209.112.4.2>
In-Reply-To: <26486.1081437513@critter.freebsd.dk>
References:  <Your message of "Thu, 08 Apr 2004 10:43:22 EDT." <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 

At 11:18 AM 08/04/2004, Poul-Henning Kamp wrote:
>In message <20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, 
>"Michae
>l W. Lucas" writes:
> >(Yes, that's a serious concern; I'm looking at 15,000 simultaneous
> >users on a SSL Web site, and would prefer to avoid spending the big
> >bucks on a so-called "hardware SSL accelerator.")
>
>Whee :-)

Although the chip does asymetric transformations, the driver does 
not.  Check the man page

The hifn driver registers itself to accelerate DES, Triple-DES, AES (7955
      and 7956 only), ARC4, MD5, MD5-HMAC, SHA1, and SHA1-HMAC operations for

And even then, openssl is not necessarily tied to the card's 
functions.  For sure des and aes do work, but in my limited tests against a 
server with apache-ssl installed, it doesnt seem to make use of the card.

Looking at a box with a crypto card installed,
% hifnstats
input 351328 bytes 4760 packets
output 351328 bytes 4760 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0

... I then connect via https to that machine

% !hi
input 351328 bytes 4760 packets
output 351328 bytes 4760 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0


So it appears out of the box it doesnt make use of the card's capabilities.

         ---Mike

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.0.20040408112048.07218a00>