recommended SSL-friendly crypto accelerator

Lev Walkin vlm at netli.com
Fri Apr 9 03:24:30 PDT 2004 

Rumen Telbizov wrote:

> 
>>>If both ssh and mod_ssl use the same
>>>library - openssl - and its functions (3DES),
>>>how come that one application benefits
>>
>>>from the hardware acceleration and
>>
>>>the other one does not?!
>>
>>In order to take advantage of the underlying hardware, openssl
>>either uses their own code for dealing with hardware, or contains
>>a wrapper which in turn employs the vendor-provided library installed
>>on that host (typically, a shared library which will be attached by openssl
>>during its initialization/setting up sequence).
>>
>>However, as
>>	1) the host machine may have several hardware accelerators, and/or
>>	2) it is not generally known whether requesting application really  
>>	WANTS to accelerate things,
>>the openssl needs to be explicitly initialized by the application to
>>take advantage of additional hardware. Typically, it may done by either
>>specifying the type of hardware at that application's configuration level,
>>or an application itself may contain some defaults or "use first available
>>crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION,
>>so the fact that every application on your host use openssl does not
>>automatically mean that they'll use the accelerators. It well may be so that
>>one application uses one crypto card, and another one uses a completely
>>separate one, all being on a single machine.
> 
> 
> Thanks. I didn't know that.
> So it seems that mod_ssl does NOT tell the openssl to try to
> use ANY of the crypto cards right? What possible may be
> the reason that one application would not want to use
> the hardware acceleration!? To leave resourses for other?
> 
> I couldn't find any options for mod_ssl to enable
> usage of crypto cards anyway.

Option names are:
for www/apache13-ssl port:	SSLEngineID
for www/apache13-modssl:	SSLCryptoDevice

By the way, Google is very helpful in finding
the SSLEngineID. It shows over four documents in return %-)

>>Further reading:
>>
>>man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe
> 
> Thanks
> 
> Rumen Telbizov


-- 
Lev Walkin
vlm at netli.com

More information about the freebsd-security mailing list