SSL Accelerators

Can anyone out there recommend an affordable ssl accelerator that will
work with a sun enterprise 420? I'm interested in either a pci card or a
standalone unit.

Unfortunately I'm about to launch a website under ssl and we really don't
know just how much that's going to hamper performance.

Also, any performance tuning tips for ssl would be appreciated (for
apache webserver with mod_perl and bea weblogic)

Thanks

Dave

Dave Lowenstein
Programmer/Analyst
Instructional Technology Services
San Diego State University
(619)594-0270
http://www-rohan.sdsu.edu/dept/its

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Accelerators

On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote:
> Can anyone out there recommend an affordable ssl accelerator that will
> work with a sun enterprise 420? I'm interested in either a pci card or a
> standalone unit.
>
> Unfortunately I'm about to launch a website under ssl and we really don't
> know just how much that's going to hamper performance.
>
> Also, any performance tuning tips for ssl would be appreciated (for
> apache webserver with mod_perl and bea weblogic)

My first advice would be to compile openssl with assembly optimizations on,
and make sure you configure session caching in the mod_ssl side.
Have you considered having dedicated boxes doing the ssl, serving static
content, and reverse proxying to the real servers?
That will also reduce the load in Apache, since each request ties a process
and in turn that child has a expensive Perl interpreter embedded, whether it
is serving static content or not. (I am assuming you are using 1.3 here)

Cheers

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Accelerators

My recommendation is to look through openssl-engine doco and pick a
supported card.

From experience, I can say that the nCipher ones work just fine on
sparc-solaris, I'm sure the other cards there do the job too.

I was testing out an nCipher nFast800 PCI card in a netra T1 today -
seems to work as advertised... 800 sessions/second is what they say -
it's based on the broadcom chip which a few vendors seem to have
utilised. I don't know what your idea of affordable is and I dont
actually know what they retail for though - see www.ncipher.com for
sales contacts i guess, unfortunately you dont see these on ebay very often.

The openssl-engine support for this one is invoked with the name 'ubsec'

for comparison here's the output of openssl speed -engine ubsec on my
440Mhz Netra T1 test machine:

sign verify sign/s verify/s
rsa 512 bits 0.0001s 0.0001s 14426.2 19789.0
rsa 1024 bits 0.0001s 0.0001s 15316.7 14650.9
rsa 2048 bits 0.0000s 0.0000s 24600.0 83740.0
rsa 4096 bits 0.0250s 0.0247s 40.0 40.5
sign verify sign/s verify/s
dsa 512 bits 0.0000s 0.0000s 30890.0 26485.6
dsa 1024 bits 0.0000s 0.0000s 29602.1 26078.6
dsa 2048 bits 0.0000s 0.0000s 29574.0 27347.2

and without acceleration.....

sign verify sign/s verify/s
rsa 512 bits 0.0058s 0.0005s 171.6 1835.3
rsa 1024 bits 0.0325s 0.0018s 30.8 566.0
rsa 2048 bits 0.2085s 0.0063s 4.8 159.6
rsa 4096 bits 1.4543s 0.0232s 0.7 43.2
sign verify sign/s verify/s
dsa 512 bits 0.0054s 0.0067s 185.2 149.6
dsa 1024 bits 0.0173s 0.0216s 57.8 46.4
dsa 2048 bits 0.0607s 0.0758s 16.5 13.2



Daniel Lopez wrote:

>On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote:
>
>
>>Can anyone out there recommend an affordable ssl accelerator that will
>>work with a sun enterprise 420? I'm interested in either a pci card or a
>>standalone unit.
>>
>>Unfortunately I'm about to launch a website under ssl and we really don't
>>know just how much that's going to hamper performance.
>>
>>Also, any performance tuning tips for ssl would be appreciated (for
>>apache webserver with mod_perl and bea weblogic)
>>
>>
>
>My first advice would be to compile openssl with assembly optimizations on,
>and make sure you configure session caching in the mod_ssl side.
>Have you considered having dedicated boxes doing the ssl, serving static
>content, and reverse proxying to the real servers?
>That will also reduce the load in Apache, since each request ties a process
>and in turn that child has a expensive Perl interpreter embedded, whether it
>is serving static content or not. (I am assuming you are using 1.3 here)
>
>Cheers
>
>Daniel
>
>--
>Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Accelerators

On Fri, 2 Aug 2002, Peter Viertel wrote:

> The openssl-engine support for this one is invoked with the name 'ubsec'
>
> for comparison here's the output of openssl speed -engine ubsec on my
> 440Mhz Netra T1 test machine:

You should probably run that with the "-elapsed" switch :-)

--
Geoff Thorpe
geoff@geoffthorpe.net


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org