Hey Ari,
if you use a recent Intel CPU with AES-NI support and OpenSSL 1.0.1,
harware accelereation will be used by default if you're using AES ciphers.
You can benchmark the performance with and without hardware acceleration
using these two commands:
# without acceleration
OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp
aes-256-cbc
# with acceleration
openssl speed -elapsed -evp aes-256-cbc
In our tests we got 2-3 times better performance with AES-NI but there
is a big performance jump already when going from OpenSSL 0.9.8 to 1.0.1
Kind regards,
John
Baptiste wrote:
On Tue, May 27, 2014 at 9:34 AM, Aristedes Maniatis<[email protected]> wrote:
Without purchasing specific expensive add-on cards [1], is there something
specific to some modern CPUs which will accelerate SSL handling in haproxy 1.5?
That is, should I be looking for something in a CPU which will improve
performance considerably? There is an Intel instruction set called AES-NI but I
don't know if that applies to HTTPS traffic. As I understand, the initial
negotiation in SSL is rsa/dsa but then the payload is transported using
symmetric key encryption (like AES?).
I'm only looking to handle about 50Mb/s of SSL traffic, so I'm not aiming very
high. But it would be nice to know the headroom is there.
Cheers
Ari
[1] http://www.cavium.com/processor_security_nitrox-III.html
--
Hi Ari,
If you use the right CPU and OpenSSL library, then you can benefit
from CPU's AES instructions to increase your SSL capacity.
You have to tune your HAProxy 'ciphers' directive to tell HAProxy to
use in priority the ones that will benefit from AES instructions.
You can easily do 50Mb of SSL with a single core, but it depends on
the object size, on the key renegotiation frequency, on connection
keep alives, etc...
Baptiste
--
John-Paul Bader | Software Development
www.wooga.com
wooga GmbH | Saarbruecker Str. 38 | D-10405 Berlin
Sitz der Gesellschaft: Berlin; HRB 117846 B
Registergericht Berlin-Charlottenburg
Geschaeftsfuehrung: Jens Begemann, Philipp Moeser
