On Tue, May 27, 2014 at 9:34 AM, Aristedes Maniatis <[email protected]> wrote: > Without purchasing specific expensive add-on cards [1], is there something > specific to some modern CPUs which will accelerate SSL handling in haproxy > 1.5? > > That is, should I be looking for something in a CPU which will improve > performance considerably? There is an Intel instruction set called AES-NI but > I don't know if that applies to HTTPS traffic. As I understand, the initial > negotiation in SSL is rsa/dsa but then the payload is transported using > symmetric key encryption (like AES?). > > I'm only looking to handle about 50Mb/s of SSL traffic, so I'm not aiming > very high. But it would be nice to know the headroom is there. > > > Cheers > Ari > > > [1] http://www.cavium.com/processor_security_nitrox-III.html > --
Hi Ari, If you use the right CPU and OpenSSL library, then you can benefit from CPU's AES instructions to increase your SSL capacity. You have to tune your HAProxy 'ciphers' directive to tell HAProxy to use in priority the ones that will benefit from AES instructions. You can easily do 50Mb of SSL with a single core, but it depends on the object size, on the key renegotiation frequency, on connection keep alives, etc... Baptiste
