Query on OpenSSL pkcs#11 engine

Mon, 21 Dec 2009 10:40:55 +0100 (CET) 

On Fri, 18 Dec 2009, Robert Bailey wrote:

> No expert here, but testing pkcs#11 engine via openssl can be done as follows:
> I tent to test with and without the multi option; when using multi I set it to
> number of CPU / Thread / Core on the system

        hi Robert, note that there are some known issues with -multi. 
I'm not sure if both apply to the latest OpenSSL as well but I assume 
they probably do:

6733439 OpenSSL speed test shows incorrect multi-process numbers when 
        PKCS#11 engine is engaged

6823906 openssl speed metric does not handle multiple processes well

        J.

>
> Tests pkcs11 using RSA 1024 and 2048
>
> /usr/sfw/bin/openssl speed rsa1024 rsa2048 -engine pkcs11
>
> and
>
> /usr/sfw/bin/openssl speed rsa1024 rsa2048 -engine pkcs11 -multi 8
>
> Drop the -engine to see the same test without pkcs11
>
>
> Some examples -
>
> T1000 LDOM - 8 vCPU's assigned - using MAU and pkcs11 engine
>
>                 sign    verify    sign/s verify/s
> rsa 1024 bits   0.0000s   0.0000s  21315.0  27432.5
> rsa 2048 bits   0.0001s   0.0000s  17936.4  25397.1
>
> Without pkcs11
>
>                 sign    verify    sign/s verify/s
> rsa 1024 bits   0.0194s   0.0011s     51.7    894.5
> rsa 2048 bits   0.1187s   0.0037s      8.4    273.1
>
> Big difference - but remember using MAU / On Chip Crypto
>
>
> Same tests using sol10 on a x2200  8 cores, 48GB Ram:
>
> /usr/sfw/bin/openssl speed rsa1024 rsa2048 -engine pkcs11
>                 sign    verify    sign/s verify/s
> rsa 1024 bits   0.0020s   0.0001s    506.6   6734.5
> rsa 2048 bits   0.0113s   0.0005s     88.7   2036.3
>
> /usr/sfw/bin/openssl speed rsa1024 rsa2048 -engine pkcs11 -multi 8
>
>                 sign    verify    sign/s verify/s
> rsa 1024 bits   0.0002s   0.0000s   4028.4  53602.4
> rsa 2048 bits   0.0014s   0.0001s    711.0  16276.7
>
>
>
> On Dec 17, 2009, at 8:49 AM, tensy joseph wrote:
>
>> Hi Jan,
>>
>> I have used your patch and successfully able to build too. Thanks for
>> developing this code .
>> Need your help on this
>> 1. I want to test pkcs11 engine .Do you have any test cases for testing the
>> pkcs#11 engine.? or guide me how to test the pkcs#11 engine. ?
>> 2. To enable pkcs11 engine for openssh ?  do you have any patch which can be
>> applied for openssh too. I hope so ssh too have to rewritten and it might 
>> have
>> to use the Openssl engine pkcs11 API which you have written.?
>> Please correct me if i am wrong.
>> Hope so you will help me .
>> Thanks in Advance
>> Rajan
>> _______________________________________________
>> security-discuss mailing list
>> security-discuss at opensolaris.org
>

-- 
Jan Pechanec
http://blogs.sun.com/janp

Reply via email to