[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SSL accelerators performance [was: Distributing crypto work away from apache-ssl?]



On Tue, Mar 01, 2005 at 11:07:11PM +0200, sin wrote:
> or, if the budget allows it, you can get an ssl accelarator built 
> specifically for web server ssl offloading. one such card is 
> http://www.ncipher.com/nforce/index.html

We did consider such option, however, it does not seem to be
cost-effective. The only parameter that I was able to extract from the
marketing gibberish on web pages of producers of such cards is the
mysterious "ssl transactions per second". Of course "ssl transactions
per second" doesn't mean anything, unless provided with some additional
statistacal infomation, which is of course missing. From other pieces of
information I found on their web pages, I could figure out that the
number represents the number of 1024 bit block RSA encryptions per
second.

The card we considered buing is said to achieve 150 such encryptions per
second.  I have made some tests, and it seems that an old Athlon XP
1600+ box can do about 200 per second, and that is while playing some
MP3s in background. Moreover, for the cash needed to buy one such card,
we can easily build a cluster of four diskless machines, which can act
as such "ssl accelerator" for our whole DMZ.

I have found one message on openssl mailing list that contained similar
conclusions. However I'm still not convinced that those RSA encryptions
per second is really the most important (i.e. most CPU-intensive)
factor. I would be very thankful if someone with such card could run
"openssl speed" (preferably with "-multi" appropriate for the card
hardware - some have parallel architecture, which cannot be fully
utilized when running only one test at a time).

regards,

Marcin
-- 
Marcin Owsiany <marcin@owsiany.pl>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216



Reply to: