I've written several pieces to this list and the apache list about using
hardware acceleration for SSL. Most SSL accelerators today either work with
openssl/modssl or are independant. The nCipher cryptoswift PCI card or
Rainbow Technologies PCI cards work with openssl/modssl. The only thing to
keep in mind, for the price you pay, it would be more prudent to just buy a
newer server and loadballance your HTTPS farm. Not only do you have more
distribution, but you have failover ability as well and degraded capability
in the event of an outage, instead of no capability. Also, SSL Accelerators
are only good for a large enough amount of content across persistent SSL
sessions. That means that if your customers/browsers are viewing EVERY PAGE
in SSL or every page they visit in SSL is >5KB and you have several of them
they will hit that way, then you might benefit from using SSL acclerators.
Also, if you have an SSH server, it can also benefit and allow MUCH more
concurrent persistent connections during those types of sessions as well.
Another type of system which can benefit from SSL accelerators is the
all-in-one http/https/application/db server which get's hit pretty hard if
you've got that much stuff serving from the same box. If you HAVE to keep
that model, then it might be a good idea to use an Acclerator to offload
handshake data from the processors. Also, if people are constantly making
SSH connections and transferring encrypted data from a DB server, that's a
good way to keep the cpu load low, if many connections are occurring all the
time. Hope this helps. There are also lots of SSL acclerator boxes you can
by for use on the network, which will proxy all SSL, ssh, etc and pass data
unencrypted, or encrypted, but no handshake, to the target host. Intel,
nCipher, Rainbow, F5, and Dell are the ones who come to mind in that arena.
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]
> -----Original Message-----
> From: JJohnson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 12, 2001 1:14 PM
> To: [EMAIL PROTECTED]
> Subject: Hardware Acceleration using OpenSSL-engine
>
>
>
> I haven't really seen any documentation on using the hardware
> acceleration that openssl-engine can provide when using it
> with modssl. I've seen the issue brought up a few times, but
> I can't find any answers to this topic. Can somebody point
> me to the relevant documentation or list archive that has this info?
>
>
> Thanks
> -miah
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
