On 27/05/2014 6:59pm, Lukas Tribus wrote: > Hi, > > >> Without purchasing specific expensive add-on cards [1], is there >> something specific to some modern CPUs which will accelerate SSL >> handling in haproxy 1.5? >> >> That is, should I be looking for something in a CPU which will >> improve performance considerably? There is an Intel instruction >> set called AES-NI but I don't know if that applies to HTTPS# >> traffic. As I understand, the initial negotiation in SSL is rsa/dsa >> but then the payload is transported using symmetric key encryption >> (like AES?). >> >> I'm only looking to handle about 50Mb/s of SSL traffic, so I'm not >> aiming very high. But it would be nice to know the headroom is there. > > Bandwidth is not really the limiting factor, handshakes per second is. > AES-NI gives you a nice performance boost but doesn't help with handshakes > afaik. > > Whats important, among other points, is having enough entropy, and the RDRAND > feature of modern CPUs can help you there (if you trust your CPU vendor). > > Otherwise, there some software projects like haveged or audio entropy daemon > that can feed random data in the kernel. > > > Keep-alive and session id resumption are very important features to scale > a SSL enabled site, so double check that those things are working properly.
Right, so then it isn't about AES at all, but the public key negotiation and key generation. We are running on Freebsd 10 which feeds /dev/random from yarrow and that in turn grabs entropy from the CPU and other places. So I think we should be good since we are unlikely to run out of entropy there. aesni_load="YES" in loader.conf should take care of the AES side of things If the NSA wanted credit card numbers they could just go get them from Mastercard directly, and there isn't really much else of great espionage interest in the transactional data. So I'm not overly concerned about the backdoors in the Intel CPUs. Thanks for the useful information. Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
