recommended SSL-friendly crypto accelerator
Mike Tancsa
mike at sentex.net
Thu Apr 8 08:26:15 PDT 2004
At 11:18 AM 08/04/2004, Poul-Henning Kamp wrote:
>In message <20040408144322.GA83448 at bewilderbeast.blackhelicopters.org>,
>"Michae
>l W. Lucas" writes:
> >(Yes, that's a serious concern; I'm looking at 15,000 simultaneous
> >users on a SSL Web site, and would prefer to avoid spending the big
> >bucks on a so-called "hardware SSL accelerator.")
>
>Whee :-)
Although the chip does asymetric transformations, the driver does
not. Check the man page
The hifn driver registers itself to accelerate DES, Triple-DES, AES (7955
and 7956 only), ARC4, MD5, MD5-HMAC, SHA1, and SHA1-HMAC operations for
And even then, openssl is not necessarily tied to the card's
functions. For sure des and aes do work, but in my limited tests against a
server with apache-ssl installed, it doesnt seem to make use of the card.
Looking at a box with a crypto card installed,
% hifnstats
input 351328 bytes 4760 packets
output 351328 bytes 4760 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
... I then connect via https to that machine
% !hi
input 351328 bytes 4760 packets
output 351328 bytes 4760 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
So it appears out of the box it doesnt make use of the card's capabilities.
---Mike
More information about the freebsd-security
mailing list