On Thu, Jan 10, 2013 at 03:01:29AM +0100, Vincent Bernat wrote:
> ??? 10 janvier 2013 00:24 CET, Willy Tarreau <[email protected]> :
>
> >> It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
> >> support is builtin and selected automatically. But if people are using
> >> implementations from Intel for older versions of OpenSSL, the engine
> >> needs to be selected by hand. See:
> >>
> >> https://groups.google.com/forum/?fromgroups=#!msg/mailing.openssl.dev/Z8PwfK53C2E/pdkktMcnpAEJ
> >
> > Interesting. Are these implementations still in use ? This seems more
> > like early experimentations than definitive releases to me. I don't
> > know if such versions were shipped in any LTS distro, so most likely
> > they'll quickly disappear. Am I wrong ?
>
> I think you are right. Maybe engine are useful on Cavium cards but I
> really don't know because I have never been able to get one to test
Then you might be interested in the EdgeRouter Lite from Ubiquiti Networks
which seems to be based on this (I'm impatient to put my hands on one of
them but they're not available yet) :
http://www.ubnt.com/edgemax
> (but it seems that you patch OpenSSL directly, no additional engines). I
> suppose people buying expensive crypto hardware will be able to request
> the feature if they need it.
That's really what I'm thinking too. In fact, once we find benefits from
such a card, we'll know what we want to offload to the card and it'll be
easier to know what we want to make configurable in the engine (eg: only
do asym crypto, or some specific ciphers that aes-ni cannot efficiently
run, etc...).
Cheers,
Willy
