On 10/29/21 3:58 AM, Emerson Gomes wrote:
If you want "definitive proof" that you're not using AES-NI
instructions during your benchmark, you could simply compile OpenSSL
(and then HAproxy, linking it to this OpenSSL version) passing
"-noaes" flag to GCC in the process.
I know from other tests that the installed openssl package is CAPABLE of
using the aes-ni instructions.
What I am trying to determine is whether or not haproxy is using them.
Lukas is probably right that there is no problem here, and that this
whole endeavor is a waste of time.
On 10/29/21 1:15 AM, Willy Tarreau wrote:
By the way on this subject, based on the numbers you reported for
openssl speed, the speed differences on as low bandwidth a network as
1 Gbps are not even relevant. Your machine can encrypt/decrypt at
roughly 2 Gbps per core even when not using AES-NI, so in this case
it's more important to watch the CPU utilization during the transfer
than the transfer speed itself, which can be affected by many other
factors.
Interesting that the curl transfer speed was only 62 MB/second in my
test, rather than the 100 MB/s or more that I would expect if haproxy
and apache were saturating the gigabit connection. The backends are all
cleartext on localhost, not ssl.
The server has two of these CPUs:
model name : Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz
I repeated the curl test, and this time there was no big difference in
transfer speeds. One got 63 MB/s, the other got 62 MB/s. I tried to
look for CPU differences with "top" on a 0.2 second delay, but even with
the flags to disable acceleration, haproxy CPU usage during the curl
transfer was 0.0 percent, so that tool is useless. I don't know how to
use any real profiling tools.
It was suggested that I do the data transfer from another machine, which
is what I did. Just for thoroughness, I did the test again on the same
machine as haproxy, and this time (without that pesky gigabit network in
the way) I did see a very significant difference in transfer speed.
Internal DNS resolves the hostname I used to the machine's private IP
address.
root@smeagol:~# curl --ciphers ECDHE-RSA-AES256-GCM-SHA384
https://www.DOMAIN.com/4gbrandom > /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
100 4096M 100 4096M 0 0 192M 0 0:00:21 0:00:21
--:--:-- 201M
root@smeagol:~# curl --ciphers ECDHE-RSA-AES256-GCM-SHA384
https://www.DOMAIN.com/4gbrandom > /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
100 4096M 100 4096M 0 0 67.6M 0 0:01:00 0:01:00 --:--:--
70.0M
I am going to conclude from this that acceleration is working. If
somebody wants to point me at a crash course in how to use profiling
tools, I will give that a try.
Thanks to everyone for their assistance.
Shawn
