Hi Nginx.
I have Intel® Xeon® CPU E5620 based web-server.
I have managed to patch the openssl ver 1.0.0 so i have support for the
AES-NI engine.
openssl engine -t
(aesni) Intel AES-NI engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(4758cca) IBM 4758 CCA hardware engine support
[ unavailable ]
(aep) Aep hardware engine support
[ unavailable ]
(atalla) Atalla hardware engine support
[ unavailable ]
(cswift) CryptoSwift hardware engine support
[ unavailable ]
(chil) CHIL hardware engine support
[ unavailable ]
(nuron) Nuron hardware engine support
[ unavailable ]
(sureware) SureWare hardware engine support
[ unavailable ]
(ubsec) UBSEC hardware engine support
[ unavailable ]
(gost) Reference implementation of GOST engine
[ available ]
openssl speed -engine aesni -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-256-cbc 405328.44k 421965.16k 426290.26k 426056.02k
427277.19k
This is 3 times higher performance than without the aes-ni patch.
Under my ssl setup in nginx i have these lines
ssl on;
ssl_certificate /usr/local/nginx/conf/mysite.crt;
ssl_certificate_key /usr/local/nginx/conf/mysite.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
#ssl_engine aesni;
ssl_ciphers AES256-SHA:1024:256:HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
When i enable the line
ssl_engine aesni;
I got an error
[emerg]: unknown directive “ssl_engine” in
/usr/local/nginx/conf/nginx.conf:66
How should i take advance on the aes-ni speedup ???
/Michael
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,181676,181676#msg-181676
Hello!
On Wed, Mar 09, 2011 at 12:44:47PM -0500, michaelvv wrote:
I have Intel® Xeon® CPU E5620 based web-server.
I have managed to patch the openssl ver 1.0.0 so i have support for the
AES-NI engine.
[…]
When i enable the line
ssl_engine aesni;
I got an error
[emerg]: unknown directive “ssl_engine” in
/usr/local/nginx/conf/nginx.conf:66
How should i take advance on the aes-ni speedup ???
Directive “ssl_engine” is globabl one, it have to be used at main
context. I.e. outside of http{} block.
Maxim D.
Hi Maxim.
I have put it into the global session , but i can not see any speed
difference
which where huge in openssl.
Do you know any who have success getting it to work properly.
I’m missing something but i have googled for 3 hours and i’m
quite lost.
Is there any way that i can see which engine nginx are using ?
/Best Michael
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,181676,181769#msg-181769
Hello!
On Wed, Mar 09, 2011 at 04:14:16PM -0500, michaelvv wrote:
Hi Maxim.
I have put it into the global session , but i can not see any speed
difference
which where huge in openssl.
Do you know any who have success getting it to work properly.
I’m missing something but i have googled for 3 hours and i’m
quite lost.
Is there any way that i can see which engine nginx are using ?
The missing part is:
In openssl speed tests you see difference on block cipher speed,
while in real life most cpu time is spent on assymetric
algorithms during ssl handshake.
Compare the following results (both are from the same server,
rather old and slow):
$ openssl speed aes-256-cbc
…
The ‘numbers’ are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-256 cbc 12494.65k 12894.81k 13162.81k 13230.46k
13052.91k
$ openssl speed rsa4096
…
sign verify sign/s verify/s
rsa 4096 bits 0.689448s 0.009975s 1.5 100.3
That is, with AES 256 this server is able to saturate 100 Mbps
link easily. But it is only able to handle about 1.5 handshakes per
second with RSA 4096-bit key (the one with strength comparable to
AES 256).
You may try testing if downloading really big file makes a
difference on cpu usage with and without aesni engine activated,
but you aren’t likely to see any difference in real life.
Setting correct ssl_session_cache may be a much more significant
optimization.
Maxim D.
Hi Maxim.
Properly a newbie question , what do you suggest for the
ssl_session_cache setting ?
I have tried ssl_session_cache shared:SSL:1m;
The box has 24 GB RAM dual Intel 5620 2.4 ghz westmere.
So i should have enough processing power .-)
Thanks Michael
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,181676,181887#msg-181887
Hello!
On Thu, Mar 10, 2011 at 03:09:22AM -0500, michaelvv wrote:
Hi Maxim.
Properly a newbie question , what do you suggest for the
ssl_session_cache setting ?
I have tried ssl_session_cache shared:SSL:1m;
1M is about 4000 sessions - so you may want to set it bigger
depending on your site attendance. I usually set 10M as a
starting point.
Otherwise looks good.
Maxim D.
Hello!
On Thu, Mar 10, 2011 at 08:34:07AM -0500, michaelvv wrote:
The Last questions so far.
Do you know if there are any hardware based solution which in any way
could speed up
the processing of SSL , and work with nginx ???
I Have seen some companies offering products but have you heard of any.
I currently have ca 1850 pr/sec on the server i’m using.
I have no idea about hardware SSL accelerators. From theoretical
point of view - any with openssl (and your OS) support should work.
On the other hand, modern processors are capable of executing at
least 1k of RSA 1024-bit signs per second on a single core (and
you usually have at least 4 of them), so this isn’t usually an
issue. And using faster processor and/or adding more servers may
be a better option if you are CPU-bound due to SSL operations.
Maxim D.
Hi Maxim.
The Last questions so far.
Do you know if there are any hardware based solution which in any way
could speed up
the processing of SSL , and work with nginx ???
I Have seen some companies offering products but have you heard of any.
I currently have ca 1850 pr/sec on the server i’m using.
Thanks again
/Michael
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,181676,181952#msg-181952