On 4/29/2015 3:00 PM, Shawn Heisey wrote:
> How can I be sure that openssl is compiled with support for TLS
> acceleration in the CPU? I am compiling haproxy from source. Would you
> recommend that I install a separate and newer openssl from source for
> explicit use with haproxy, and tweak its config for the specific
> hardware it's on?
Followup on the openssl part of my email.
I built and installed openssl 1.0.2a from source, with this config line:
./config no-shared enable-ec_nistp_64_gcc_128 threads
Then I built haproxy using this command:
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 CPU=native
SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib ADDLIB=-ldl
Here's the 'haproxy -vv' and 'uname -a' output:
---------------
HA-Proxy version 1.5.11 2015/01/31
Copyright 2000-2015 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
Running on OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
---------------
Linux lb1 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux
---------------
Can anyone who's knowledgeable about this look over what I've done and
tell me if they'd do something different? I also still need some
assistance with the rest of my original email.
Side issue, mentioning in case it's important, though I suspect it
isn't: When I built openssl with the indicated config, 'make test'
failed, but it passed on an earlier build with 'shared' instead of
'no-shared'. I rebuilt with no-shared because haproxy was dynamically
linking the older openssl library installed from ubuntu packages,
instead of the newer library used for compile.
Thanks,
Shawn
