Hi, Tom--
On Apr 24, 2008, at 10:50 AM, Tom Leach wrote:
Anyone out there using HW crypto accelerators for SSL/TLS imap
sessions? I'm migrating from a Solaris environment that is using a
Sun crypto card to a Linux environment where crypto drivers may be
more difficult to come by and I'm wondering if the speed up in
processing power from the newer system hardware will offset the need
for accelerators? We're a medium sized installation with 300 - 500
simultaneous sessions.
Just curious what others are doing with crypto and imap.
I've used the CryptoSwift hardware with some high-volume SSL
webservers on Solaris, and I've used various Hi/FN cards under
FreeBSD. These devices provide the most benefit to the initial SSL
connection setup using the ~1024 bit public-key encryption (ie, RSA or
DSA), and do not help as much for the ~40/128 bit symmetric encryption
(ie, DES/3DES/RC4/RC5/AES) used later on for the actual data.
In the case of SSL web traffic, you end up setting up and tearing down
many more connections compared to IMAP usage, which tends to persist
connections much longer. Modern 1+ GHz CPUs can generally do
symmetric crypto faster than at least the lower-end HW crypto
accelerators, but you can use "openssl speed" to get real numbers for
the hardware you've got.
(If you're not sure what types of crypto your clients are using,
running "openssl s_client -connect mail.example.com:imaps", possibly
with the -debug flag for details, will tell you...)
--
-Chuck
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
