Hi Grant, On Thu, Jan 19, 2017 at 11:27:43PM -0800, Grant Zhang wrote: > Hi Willy, > > Thank you very much for your review! > > WRT engine configuration, I agree with your point of finer control over > which crypto ops get handled by hardware engine vs. software. It is possible > to load/initialize engines using openssl configuration file, which > is documented in https://github.com/01org/QAT_Engine (section title: > using the openssl configuration file to load/initialize engines) > > If we want more explicit control from haproxy on crypto operations handled > by ssl engines, how about adding a "default_algorithms" parameter as part > of the ssl_engine config line, where default_algorithms specifies which > algorithms supplied by the engine should be used by default. Specify ALL > to make all algorithms supplied by the engine be used by default. > Something like the following: > > # offload RSA and EC operations to qat engine > ssl_engine qat default_algorithms RSA,EC
This is *exactly* what the second patch I sent does so I think we're in line here. My limited understanding of the crypto engines made me unsure whether we could do better or not. > default_algorithms could ALL, RSA, DSA, EC, ... and they could be comma > seperated. > All available values could be found at: > https://github.com/openssl/openssl/blob/master/crypto/engine/eng_fat.c#L54 > > Apparently "default_algorithms" is how openssl solve the engine config > problem: > https://github.com/openssl/openssl/blob/master/crypto/engine/eng_cnf.c#L125 > > In case there are multiple engines the config might be like: > ssl_engine qat default_algorithms RSA > ssl_engine dasync default_algorithms RAND > > What do you think? I didn't think it was possible to load multiple engines. Then that makes total sense! Then this means that the "engine" in global_ssl should instead become a list of (name,args*). > I am working on V2 version of my patch to address your comments. Hopefully > will send it out soon:-) Great, thanks! Willy
