Hi,
> Without purchasing specific expensive add-on cards [1], is there
> something specific to some modern CPUs which will accelerate SSL
> handling in haproxy 1.5?
>
> That is, should I be looking for something in a CPU which will
> improve performance considerably? There is an Intel instruction
> set called AES-NI but I don't know if that applies to HTTPS#
> traffic. As I understand, the initial negotiation in SSL is rsa/dsa
> but then the payload is transported using symmetric key encryption
> (like AES?).
>
> I'm only looking to handle about 50Mb/s of SSL traffic, so I'm not
> aiming very high. But it would be nice to know the headroom is there.
Bandwidth is not really the limiting factor, handshakes per second is.
AES-NI gives you a nice performance boost but doesn't help with handshakes
afaik.
Whats important, among other points, is having enough entropy, and the RDRAND
feature of modern CPUs can help you there (if you trust your CPU vendor).
Otherwise, there some software projects like haveged or audio entropy daemon
that can feed random data in the kernel.
Keep-alive and session id resumption are very important features to scale
a SSL enabled site, so double check that those things are working properly.
Regards,
Lukas
