Hi Ian, On Fri, Jan 04, 2013 at 06:02:47PM -0800, Ian Scott wrote: > The following is a patch that adds OpenSSL engine support to HAProxy. > This is necessary for those running load balancers and wish to offload > the SSL to any hardware devices. I've tested it with the OpenSSL padlock > engine, but it should handle any engine (such as the aesni engine on > recent Intel CPUs) as it's simply given as a string argument to OpenSSL. > This has been adapted from Stud's engine support.
We already have a very similar patch that we never merged because we could not find an engine which was faster than the CPU yet. We have tried with mvcesa and and hifn7955 VPN card and both of them caused a significant performance drop. The reason was that both of them use cryptodev, which has a high overhead and which is suited only for very large blocks. So we decided that we first need to add parameters to configure what algorithms can be delegated to the engine before merging the patch, otherwise users will blindly enable it then report bad performance. Did you get a significant performance gain with padlock ? I've not had the chance to test one yet. I don't even know if it requires an engine or not. At least with aes-ni, it's included in the native code, you don't need the engine (and the perf gain is impressive, we achieved 5 Gbps of AES256 per core). Thanks, Willy
