remove
remove __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: speed test with cavium engine
Thank you all for your comments, but i still do not have the issue resolved. After your email below, i tried "-multi" and also "time". I also loaded the CPU and took some measurements. But to my surprise, i am getting the same performance numbers, for "time ./openssl speed dsa", in all the three following cases. Case1: With no load on CPU, and without using Cavium command used to measure: "time ./openssl speed dsa" Case2: With CPU loaded, and without using Cavium command used to measure: "time ./openssl speed dsa" command used to load CPU: "openssl speed -multi 10" Case3: With CPU loaded and using Cavium command used to measure: "time ./openssl speed dsa" command used to load CPU: "openssl speed -multi 10" The output i am getting in all the three cases are very similar to the one below. [EMAIL PROTECTED]:/home/eeliazer/cavium/CN1000-linux2.6-openssl-sdk-4.1 /cavium/apps/openssl-0.9.7d/apps# time ./openssl speed dsa Doing 512 bit sign dsa's for 10s: 2149 512 bit DSA signs in 1.52s Doing 512 bit verify dsa's for 10s: 116 512 bit DSA verify in 0.10s Doing 1024 bit sign dsa's for 10s: 46 1024 bit DSA signs in 0.10s Doing 1024 bit verify dsa's for 10s: 37 1024 bit DSA verify in 0.10s Doing 2048 bit sign dsa's for 10s: 13 2048 bit DSA signs in 0.09s Doing 2048 bit verify dsa's for 10s: 10 2048 bit DSA verify in 0.09s OpenSSL 0.9.7d 17 Mar 2004 built on: Thu Jan 4 17:58:02 PST 2007 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -fPIC -DCAVIUM_ENGINE -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times signverifysign/s verify/s dsa 512 bits 0.0007s 0.0009s 1413.8 1160.0 dsa 1024 bits 0.0022s 0.0027s460.0370.0 dsa 2048 bits 0.0069s 0.0090s144.4111.1 real4m45.529s user0m2.028s sys 0m0.000s When i use the engine, i expect to see some difference from the baseline software performance. I am noticing no change in numbers, which makes me think somehow i am not properly exercising cavium hardware accelerator. Also the 'openssl speed' program seems to be a confusing one to measure performance. Any suggestions on a good tool to load CPU in a controlled manner, in this context? Your suggestions on how i can really ensure that the hardware is being exercised will be valuable. Thanks in advance. cheers, Elwin. On 1/5/07, Mathias Brossard <[EMAIL PROTECTED]> wrote: Elwin Stelzer Eliazer wrote: > I am trying to compare the performance benefits in using hardware > accelerator, and am experimenting the CAVIUM SSL card. > > I am comparing the results between 'speed' and 'speed -engine cavium', > and i do not see any difference in numbers. > I do see the message 'cavium engine set', but really do not see any > change in the performance numbers. Have you tried using the -multi flag ? If that works try increasing the value to see how it scales. > Is there a way to check if the hardware is really used? Am i missing > some needed steps? Launch openssl with 'time openssl speed rsa...' to see how much CPU is used. That in turn should tell you if the hardware is actually offloading the crypto. Sincerely, -- Mathias Brossard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: speed test with cavium engine
you may find that the cavium platform is as fast as your CPU - or that the PCI bandwidth is being exhausted etc - however, what you REALLY should be doing is checking your processor load when testing. after all, doing 250m 1024bit keys/s with 1% CPU laod is far far better for a server than 255m 1024bit keys/s with 68% CPU load :-) Unless it saturates the PCI bus and prevents the system from getting sufficient throughput out its NIC's and HBA's :) rick jones __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to know it is .pem or der format file
It's been my observation that all the pem files I have come across were ascii text files and all the der files have been binary. Jim. On 1/5/07, Dinh, Thao V CIV NSWCDD, K72 <[EMAIL PROTECTED]> wrote: Hi I have couple private and cert files. How do what kind of format of these files?? Pem or .der format ??? Please help me. TD
RE: How to know it is .pem or der format file
How to know it is .pem or der format filePEM files are base-64 encoded, and they have a BEGIN CERTIFICATE and -END CERTIFICATE- kind of header and footer. On the other hand, DER format are like binary files. If you are able to open the files in an editor, and if the header and footer exists, then it is in PEM format. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dinh, Thao V CIV NSWCDD, K72 Sent: Friday, January 05, 2007 7:02 PM To: openssl-users@openssl.org Subject: How to know it is .pem or der format file Hi I have couple private and cert files. How do what kind of format of these files?? Pem or .der format ??? Please help me. TD DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
How to know it is .pem or der format file
Hi I have couple private and cert files. How do what kind of format of these files?? Pem or .der format ??? Please help me. TD
compile problems on osx/intel
i'm getting "Undefined symbols" error while compiling openssl on an Intel based Mac. what causes this error? transcipt below. i've tried compiling: openssl-0.9.8d.tar.gz openssl-0.9.8-stable-SNAP-20070105.tar.gz openssl-SNAP-20070104.tar.gz using these two configurations: ./config --prefix=/usr/local --openssldir=/usr/local/openssl ./config no-asm --prefix=/usr/local --openssldir=/usr/local/openssl both produces the following Undefined symbols error: Operating system: i386-apple-darwinDarwin Kernel Version 8.8.2: Thu Sep 28 20:43:26 PDT 2006; root:xnu-792.14.14.obj~1/RELEASE_I386 Configuring for darwin-i386-cc [snip] /usr/bin/ld: Undefined symbols: _X509_STORE_set1_param _X509_VERIFY_PARAM_free _ASN1_generate_nconf _EC_GROUP_get_degree _EC_KEY_dup _EC_KEY_free _EC_KEY_generate_key _EC_KEY_get0_group _EC_KEY_new _EC_KEY_set_group _EVP_ecdsa _PEM_read_bio_ECPKParameters _RSA_generate_key_ex _BIO_set_callback _BIO_set_callback_arg _DH_generate_parameters_ex _DSA_generate_parameters_ex _BIO_set_flags _EVP_CIPHER_nid _X509_REQ_check_private_key _EVP_MD_type _EC_KEY_print _EC_KEY_set_asn1_flag _EC_KEY_set_conv_form _PEM_read_bio_ECPrivateKey _PEM_read_bio_EC_PUBKEY _PEM_write_bio_ECPKParameters _PEM_write_bio_ECPrivateKey _PEM_write_bio_EC_PUBKEY _d2i_ECPrivateKey_bio _d2i_EC_PUBKEY_bio _i2d_ECPKParameters _i2d_ECPrivateKey_bio _i2d_EC_PUBKEY_bio _ECPKParameters_print _EC_GROUP_check _EC_GROUP_get_point_conversion_form _EC_GROUP_new_by_curve_name _EC_GROUP_set_asn1_flag _EC_GROUP_set_point_conversion_form _EC_GROUP_set_seed _EC_METHOD_get_field_type _EC_POINT_point2bn _EC_get_builtin_curves _d2i_ECPKParameters _EVP_idea_cbc _BIO_new_dgram _BIO_test_flags _DTLSv1_server_method _EC_KEY_new_by_curve_name _SSL_CTX_set_info_callback _DTLSv1_client_method _SSL_COMP_get_name _SSL_get_current_compression _SSL_get_current_expansion _ECDH_compute_key _ECDSA_sign _ECDSA_verify _EC_KEY_get0_public_key _EC_KEY_precompute_mult _SHA256 _SHA512 _idea_cbc_encrypt _idea_options _idea_set_encrypt_key _X509_POLICY_NODE_print _X509_STORE_CTX_get0_policy_tree _X509_STORE_CTX_get_explicit_policy _X509_VERIFY_PARAM_add0_policy _X509_VERIFY_PARAM_new _X509_VERIFY_PARAM_set_flags _X509_VERIFY_PARAM_set_purpose _X509_policy_tree_get0_policies _X509_policy_tree_get0_user_policies _BIO_get_callback_arg _EVP_PKEY_add1_attr_by_NID _BN_is_prime_ex collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[1]: *** [openssl] Error 2 make: *** [build_apps] Error 1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: speed test with cavium engine
Elwin Stelzer Eliazer wrote: > I am trying to compare the performance benefits in using hardware > accelerator, and am experimenting the CAVIUM SSL card. > > I am comparing the results between 'speed' and 'speed -engine cavium', > and i do not see any difference in numbers. > I do see the message 'cavium engine set', but really do not see any > change in the performance numbers. Have you tried using the -multi flag ? If that works try increasing the value to see how it scales. > Is there a way to check if the hardware is really used? Am i missing > some needed steps? Launch openssl with 'time openssl speed rsa...' to see how much CPU is used. That in turn should tell you if the hardware is actually offloading the crypto. Sincerely, -- Mathias Brossard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Issues with openssl client application while trying to connect to rsasecurity webserver.
Can any one please help me on the below question? Is it because that the rsasecurity server certificate is issued by www.valicert.com and valicert.com trusted root is not available to complete the certificate chain? Thanks, Ravi. On 1/4/07, ravi shankar <[EMAIL PROTECTED]> wrote: Hi, We have issues in our openssl application when we try to connect to www.rsasecurity.com:443. In our application, we get the CA certificates corresponding to the webserver, convert them from .der to .pem format, concatenate them and store in a single file. This file is used as the CA certificate when we connect to the webserver. These steps works fine with other webservers, but does not work with rsasecurity site (fails with the error 'unable to get local issuer certificate') Any thought on this issue would be appreciated. Thanks, Ravi. # openssl s_client -connect www.rsasecurity.com:443 -CAfile rsa.pem CONNECTED(0003) depth=3 /O=RSA Security Inc./CN=RSA Public Root CA v1/emailAddress= [EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com i:/O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate Server CA/L=Bedford/ST=Massachusetts/C=US 1 s:/O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate Server CA/L=Bedford/ST=Massachusetts/C=US i:/O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate/L=Bedford/ST=Massachusetts/C=US 2 s:/O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate/L=Bedford/ST=Massachusetts/C=US i:/O=RSA Security Inc./CN=RSA Public Root CA v1/emailAddress= [EMAIL PROTECTED] 3 s:/O=RSA Security Inc./CN=RSA Public Root CA v1/[EMAIL PROTECTED] i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIENTCCA56gAwIBAgIRAOqEBDZm7QSDfm0llhnyDIUwDQYJKoZIhvcNAQEFBQAw gYwxGjAYBgNVBAoTEVJTQSBTZWN1cml0eSBJbmMuMRUwEwYDVQQLEwxLQ0EgU2Vy dmljZXMxIDAeBgNVBAMTF1JTQSBDb3Jwb3JhdGUgU2VydmVyIENBMRAwDgYDVQQH EwdCZWRmb3JkMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQswCQYDVQQGEwJVUzAe Fw0wNjA3MTMyMjIxNThaFw0wODA3MTQyMjIxNTBaMIGQMQswCQYDVQQGEwJVUzEW MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmVkZm9yZDEaMBgGA1UE ChMRUlNBIFNlY3VyaXR5IEluYy4xHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlcnZp Y2VzMRwwGgYDVQQDExN3d3cucnNhc2VjdXJpdHkuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDy/4taDghmlVVBv70QQGsPPj6x+71xwp7IEa4ZttPeXGuh T/JpZHTVbAjPOimocJgUK5pMgw/o114vx1vkONCd009NfDNfBzknsWvi9BbFKedQ GaVnwcIepddXV68OZvzwMcFWcfkcGw08P7bAmleFC8dKq86jdel1R5s4EnBrkwID AQABo4IBjzCCAYswDgYDVR0PAQH/BAQDAgO4MBEGCWCGSAGG+EIBAQQEAwIGQDAe BgNVHREEFzAVghN3d3cucnNhc2VjdXJpdHkuY29tMB8GA1UdIwQYMBaAFInPTrWg h15+Q3jRmUloB3yEBzNWMIGSBgNVHSAEgYowgYcwgYQGCSqGSIb3DQUHAjB3MC4G CCsGAQUFBwIBFiJodHRwOi8vY2EucnNhc2VjdXJpdHkuY29tL0NQUy5odG1sMEUG CCsGAQUFBwICMDkwGBYRUlNBIFNlY3VyaXR5IEluYy4wAwIBARodQ1BTIEluY29y cG9yYXRlZCBieSByZWZlcmVuY2UwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMB0GA1UdDgQWBBQ8VhDHWyyllW0UYG8jogOa2c4FVjBSBgNVHR8ESzBJMEeg RaBDhkFodHRwOi8vY3JsLnJzYXNlY3VyaXR5LmNvbTo4MC9SU0ElMjBDb3Jwb3Jh dGUlMjBTZXJ2ZXIlMjBDQS0yLmNybDANBgkqhkiG9w0BAQUFAAOBgQCvSlV4/CRs VdjvpGtd/sqhqR1dgcdDNmC+ZqTon+anIxe63VK6j/bKlkJ5LIA4ZZZ7hGg3R8tm AeOEgLnB7k76tzq+ArtBKCGbg7J6Dtb+SmwhbBTuakxaDMJYh+VC/8kZcEeWLyZ1 NuvMWG4lQw9sO6w+mklylieweP4gV7naEA== -END CERTIFICATE- subject=/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com issuer=/O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate Server CA/L=Bedford/ST=Massachusetts/C=US --- No client certificate CA names sent --- SSL handshake has read 3717 bytes and written 330 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 480E3102AFE2332FEBD5BCCD5B5F0F6E04E0F144DA95C31F5968E47BFFE6 Session-ID-ctx: Master-Key: BB45A97530F6BFFE1CA3A09C93ACAB59243243424A66C4A14993AADB7A15921C9AA9F0BB4F40D8DBB82C483AF5592C99 Key-Arg : None Start Time: 1167908925 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
Re: speed test with cavium engine
Hi, > Hi, > > I am trying to compare the performance benefits in using hardware > accelerator, and am experimenting the CAVIUM SSL card. > > I am comparing the results between 'speed' and 'speed -engine cavium', and i > do not see any difference in numbers. > I do see the message 'cavium engine set', but really do not see any change > in the performance numbers. you may find that the cavium platform is as fast as your CPU - or that the PCI bandwidth is being exhausted etc - however, what you REALLY should be doing is checking your processor load when testing. after all, doing 250m 1024bit keys/s with 1% CPU laod is far far better for a server than 255m 1024bit keys/s with 68% CPU load :-) alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error Loading Certificates - Cavium Cards used
Hello All: We had an SSL enabled client application which was working fine.Recently we ran our client application in a machine with Cavium Nitrox Cards to enable efficient operation during stress scenario. The NITROX SDK includes an evaluation board with modified OpenSSL using Cavium's TurboSSL Macro APIs. However I didn't change none of the OpenSSL API's which I had before to make it compatible with the Cavium except for including some of the libraries of Cavium Turbo SSL. I observe that 80% of the time the "SSL_CTX_use_PrivateKey_file" function returns false.Thus the key file fails to get read. In non cavium mode I have no issues. All sessions run smoothly. My function is as below: if(!(SSL_CTX_use_PrivateKey_file(ctx,clientcert,SSL_FILETYPE_PEM))) { LOG_ERROR_MSG << "Can't read key file of :" <