On 10/29/21 3:58 AM, Emerson Gomes wrote:
If you want "definitive proof" that you're not using AES-NI
instructions during your benchmark, you could simply compile OpenSSL
(and then HAproxy, linking it to this OpenSSL version) passing
"-noaes" flag to GCC in the process.
I know from other tes
Hello,
If you want "definitive proof" that you're not using AES-NI instructions
during your benchmark, you could simply compile OpenSSL (and then HAproxy,
linking it to this OpenSSL version) passing "-noaes" flag to GCC in the
process.
Then, to make sure your compilation succeeded, check both res
On Thu, Oct 28, 2021 at 04:06:42PM -0600, Shawn Heisey wrote:
> The file I transferred is 4GB in size, copied from /dev/urandom with dd.
> Did the pull from another machine on the same gigabit LAN. I picked the
> cipher by watching for TLS 1.2 ciphers shown by testssl.sh and choosing one
> that m
On 10/28/21 2:11 PM, Lukas Tribus wrote:
You would have to run a single request causing a large download, and
run haproxy through a cpu profiler, like perf, and compare outputs.
I am learning all sorts of useful things. I see evidence of acceleration
when pulling a large file with curl! Avera
On Thu, 28 Oct 2021 at 21:20, Shawn Heisey wrote:
>
> On 10/28/21 10:02 AM, Lukas Tribus wrote:
> > You seem to be trying very hard to find a problem where there is none.
> >
> > Definitely do NOT overwrite CPU flags in production. This is to *test*
> > AES acceleration, I put the link to the blog
On 10/28/21 10:02 AM, Lukas Tribus wrote:
You seem to be trying very hard to find a problem where there is none.
Definitely do NOT overwrite CPU flags in production. This is to *test*
AES acceleration, I put the link to the blog post in there for
context, not because I think you need to force th
On Thu, 28 Oct 2021 at 15:49, Shawn Heisey wrote:
>
> On 10/28/21 7:34 AM, Shawn Heisey wrote:
> > Does haproxy's use of openssl turn on the same option that the
> > commandline does with the -evp argument? If it does, then I think
> > everything is probably OK.
>
>
> Running "grep -r EVP ." in t
On 10/28/21 7:34 AM, Shawn Heisey wrote:
Does haproxy's use of openssl turn on the same option that the
commandline does with the -evp argument? If it does, then I think
everything is probably OK.
Running "grep -r EVP ." in the haproxy source tree turns up a lot of
hits in the TLS/SSL code
On 10/28/21 12:31 AM, Lukas Tribus wrote:
You want evidence.
That would be preferred, yes.
Then get a raspberry pi, and run haproxy manually, fake the cpu flag
aes-ni and it should crash when using aes acceleration, because the
cpu doesn't support it.
https://romanrm.net/force-enable-opens
On Thu, 28 Oct 2021 at 08:31, Lukas Tribus wrote:
>
> Hi,
>
> On Thursday, 28 October 2021, Shawn Heisey wrote:
>>
>> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>>>
>>> I'd be surprised if the OpenSSL API calls we are using doesn't support
>>> AES-NI.
>>
>>
>> Honestly that would surprise me too
Hi,
On Thursday, 28 October 2021, Shawn Heisey wrote:
> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>
>> I'd be surprised if the OpenSSL API calls we are using doesn't support
>> AES-NI.
>>
>
> Honestly that would surprise me too. But I have no idea how to find out
> whether it's using the accel
On 10/27/21 5:47 PM, Shawn Heisey wrote:
On 10/27/2021 2:54 PM, Lukas Tribus wrote:
I'd be surprised if the OpenSSL API calls we are using doesn't support AES-NI.
Honestly that would surprise me too. But I have no idea how to find out whether
it's using the acceleration or not, and the limit
On 10/27/2021 2:54 PM, Lukas Tribus wrote:
I'd be surprised if the OpenSSL API calls we are using doesn't support AES-NI.
Honestly that would surprise me too. But I have no idea how to find out
whether it's using the acceleration or not, and the limited (and
possibly incorrect) evidence I ha
Hello,
On Wed, 27 Oct 2021 at 22:17, Shawn Heisey wrote:
>
> I am building haproxy from source.
>
> For some load balancers that I used to manage, I also built openssl from
> source, statically linked, and compiled haproxy against that, because
> the openssl included with the OS (CentOS 6 if I r
I am building haproxy from source.
For some load balancers that I used to manage, I also built openssl from
source, statically linked, and compiled haproxy against that, because
the openssl included with the OS (CentOS 6 if I recall correctly) was
ANCIENT. I don't know how to get haproxy to u
15 matches
Mail list logo