Hi Marcin, On 3/11/19 4:27 PM, Marcin Deranek wrote: > On 3/11/19 11:51 AM, Emeric Brun wrote: > >> Mode async is enabled on both sides, server and frontend side. >> >> But on server side, haproxy is using session resuming, so there is a new key >> computation (full handshake with RSA/DSA computation) only every 5 minutes >> (openssl default value). >> >> You can force to recompute each time setting "no-ssl-reuse" on server line, >> but it will add a heavy load for ssl computation on the server. > > Indeed, setting no-ssl-reuse makes use of QAT for healthchecks. > Looks like finally we are ready for QAT testing. > Thank you Emeric. > Regards, > > Marcin Deranek >
I've just re-check and i think you should also enable the 'PKEY_CRYPTO' algo to the engine ssl-engine qat algo RSA,DSA,EC,DH,PKEY_CRYPTO It will enable rhe offloading of the TLS1-PRF you can see there: # /opt/booking-openssl/bin/openssl engine -c qat (qat) Reference implementation of QAT crypto engine [RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF] R, Emeric