Hi, On Wed, Apr 29, 2015 at 10:58:36PM -0600, Shawn Heisey wrote: > On 4/29/2015 3:00 PM, Shawn Heisey wrote: > > How can I be sure that openssl is compiled with support for TLS > > acceleration in the CPU? I am compiling haproxy from source. Would you > > recommend that I install a separate and newer openssl from source for > > explicit use with haproxy, and tweak its config for the specific > > hardware it's on? > > Followup on the openssl part of my email. > > I built and installed openssl 1.0.2a from source, with this config line: > > ./config no-shared enable-ec_nistp_64_gcc_128 threads
This looks correct to me. > Then I built haproxy using this command: > > make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 CPU=native > SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib ADDLIB=-ldl > > Here's the 'haproxy -vv' and 'uname -a' output: > > --------------- > HA-Proxy version 1.5.11 2015/01/31 > Copyright 2000-2015 Willy Tarreau <w...@1wt.eu> > > Build options : > TARGET = linux2628 > CPU = native > CC = gcc > CFLAGS = -O2 -march=native -g -fno-strict-aliasing > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015 > Running on OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.31 2012-07-06 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. Looks good as well. > --------------- > Linux lb1 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015 > x86_64 x86_64 x86_64 GNU/Linux > --------------- OK. > Can anyone who's knowledgeable about this look over what I've done and > tell me if they'd do something different? That's fine for me. > I also still need some assistance with the rest of my original email. I do not have much advice to add beyond this. > Side issue, mentioning in case it's important, though I suspect it > isn't: When I built openssl with the indicated config, 'make test' > failed, but it passed on an earlier build with 'shared' instead of > 'no-shared'. I rebuilt with no-shared because haproxy was dynamically > linking the older openssl library installed from ubuntu packages, > instead of the newer library used for compile. You'd still better run with the shared mode in my opinion, because openssl provides frequent updates and 1.0.2 is fairly new, so you'll certainly have to rebuild often. On the other hand, it might be an opportunity to think about upgrading haproxy as well. But you need to be reactive since openssl updates are generally for security issues (eg heartbleed and such), so you don't want to wait. Regards, Willy
