[csw-maintainers] New openssl packages

Yann Rouillard yann at pleiades.fr.eu.org
Sun Jan 22 23:18:12 CET 2012 

Hi Rupert,

I am not a cryptography expert, but you can have a look at this 
document: 
http://www.oracle.com/technetwork/server-storage/archive/a11-014-crypto-accelerators-439765.pdf
it contains a little performance chapter part at the end of the document 
which shows the impact of using hardware acceleration on the number of 
operations/seconds Apache can handle in HTTPS.

It would be nice if someone could confirm this numbers with Apache. I 
don't have administrator access on an Ultrasparc T1/T2 server (I made 
the openssl test on unstable10s|x).
I suppose it will also work with Ultrasparc T3.

Yann


Le 22/01/2012 20:38, rupert THURNER a écrit :
> hi yann, this seems very interesting. how does this affect ones daily
> life, or in other words, how often does this get used? is it only on
> connection setup, or it somehow helps when encrypting the traffic?
>
> On Sun, Jan 22, 2012 at 20:31, Yann Rouillard<yann at pleiades.fr.eu.org>  wrote:
>> Hi again,
>>
>> For those interested in some ssl speed up, there is an experimental openssl
>> 0.9.8 build with pkcs11 support available in my build directory
>> (/home/yann/build/ on the buildfarm).
>> It allows opencsw openssl to take advantage of crypto-hardware acceleration
>> available on some sun servers, Ultrasparc T2 for example.
>>
>> Here is an excerpt of openssl rsa speed test to see the difference:
>>
>> Without pkcs11: 719 1024 bit private RSA's in 10.00s
>> With pkcs11: 10906 1024 bit private RSA's in 2.92s
>>
>> I am also interested in some more testing of these packages.
>>
>> Yann
>>
>>
>> Quick Openssl RSA benchmark:
>>
>> # OPENCSW OPENSSL WITHOUT PKCS11 engine
>> # openssl speed rsa
>>
>> Doing 512 bit private rsa's for 10s: 3154 512 bit private RSA's in 10.00s
>> Doing 512 bit public rsa's for 10s: 39315 512 bit public RSA's in 9.95s
>> Doing 1024 bit private rsa's for 10s: 719 1024 bit private RSA's in 10.00s
>> Doing 1024 bit public rsa's for 10s: 15178 1024 bit public RSA's in 10.00s
>> Doing 2048 bit private rsa's for 10s: 128 2048 bit private RSA's in 10.07s
>> Doing 2048 bit public rsa's for 10s: 4779 2048 bit public RSA's in 9.99s
>> Doing 4096 bit private rsa's for 10s: 21 4096 bit private RSA's in 10.39s
>> Doing 4096 bit public rsa's for 10s: 1356 4096 bit public RSA's in 9.98s
>> OpenSSL 0.9.8t 18 Jan 2012
>> built on: Sun Jan 22 12:41:16 CET 2012
>> options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial)
>> idea(int) blowfish(ptr)
>> compiler: cc -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
>> -DHAVE_DLFCN_H -DPK11_LIB_LOCATION="/usr/lib/libpkcs11.so" -xtarget=ultra
>> -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
>> available timing options: TIMES TIMEB HZ=100 [sysconf value]
>> timing function used: times
>>                   sign    verify    sign/s verify/s
>> rsa  512 bits 0.003171s 0.000253s    315.4   3951.3
>> rsa 1024 bits 0.013908s 0.000659s     71.9   1517.8
>> rsa 2048 bits 0.078672s 0.002090s     12.7    478.4
>> rsa 4096 bits 0.494762s 0.007360s      2.0    135.9
>>
>>
>> # OPENCSW OPENSSL WITH PKCS11 engine
>> # openssl speed -engine pkcs11 rsa
>>
>> engine "pkcs11" set.
>> Doing 512 bit private rsa's for 10s: 31397 512 bit private RSA's in 1.19s
>> Doing 512 bit public rsa's for 10s: 30262 512 bit public RSA's in 5.28s
>> Doing 1024 bit private rsa's for 10s: 10906 1024 bit private RSA's in 2.92s
>> Doing 1024 bit public rsa's for 10s: 20980 1024 bit public RSA's in 3.80s
>> Doing 2048 bit private rsa's for 10s: 3900 2048 bit private RSA's in 1.13s
>> Doing 2048 bit public rsa's for 10s: 10639 2048 bit public RSA's in 1.97s
>> Doing 4096 bit private rsa's for 10s: 15 4096 bit private RSA's in 10.45s
>> Doing 4096 bit public rsa's for 10s: 537 4096 bit public RSA's in 10.00s
>> OpenSSL 0.9.8t 18 Jan 2012
>> built on: Sun Jan 22 12:41:16 CET 2012
>> options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial)
>> idea(int) blowfish(ptr)
>> compiler: cc -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
>> -DHAVE_DLFCN_H -DPK11_LIB_LOCATION="/usr/lib/libpkcs11.so" -xtarget=ultra
>> -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
>> available timing options: TIMES TIMEB HZ=100 [sysconf value]
>> timing function used: times
>>                   sign    verify    sign/s verify/s
>> rsa  512 bits 0.000038s 0.000174s  26384.0   5731.4
>> rsa 1024 bits 0.000268s 0.000181s   3734.9   5521.1
>> rsa 2048 bits 0.000290s 0.000185s   3451.3   5400.5
>> rsa 4096 bits 0.696667s 0.018622s      1.4     53.7
>>
>>
>> # SUN OPENSSL WITHOUT PKCS11 ENGINE
>> # openssl speed rsa
>>
>> Doing 512 bit private rsa's for 10s: 2101 512 bit private RSA's in 9.99s
>> Doing 512 bit public rsa's for 10s: 20924 512 bit public RSA's in 10.00s
>> Doing 1024 bit private rsa's for 10s: 403 1024 bit private RSA's in 10.00s
>> Doing 1024 bit public rsa's for 10s: 6960 1024 bit public RSA's in 10.00s
>> Doing 2048 bit private rsa's for 10s: 64 2048 bit private RSA's in 10.03s
>> Doing 2048 bit public rsa's for 10s: 2056 2048 bit public RSA's in 9.99s
>> Doing 4096 bit private rsa's for 10s: 10 4096 bit private RSA's in 10.85s
>> Doing 4096 bit public rsa's for 10s: 569 4096 bit public RSA's in 10.01s
>> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
>> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
>> CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2009-0590 CVE-2009-3555)
>> built on: date not available
>> options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial)
>> blowfish(ptr)
>> compiler: information not available
>> available timing options: TIMES TIMEB HZ=100 [sysconf value]
>> timing function used: times
>>                   sign    verify    sign/s verify/s
>> rsa  512 bits   0.0048s   0.0005s    210.3   2092.4
>> rsa 1024 bits   0.0248s   0.0014s     40.3    696.0
>> rsa 2048 bits   0.1567s   0.0049s      6.4    205.8
>> rsa 4096 bits   1.0850s   0.0176s      0.9     56.8
>>
>>
>> # SUN OPENSSL WITH PKCS11 ENGINE
>> # openssl speed -engine pkcs11 rsa
>>
>> engine "pkcs11" set.
>> Doing 512 bit private rsa's for 10s: 30855 512 bit private RSA's in 1.17s
>> Doing 512 bit public rsa's for 10s: 53489 512 bit public RSA's in 1.75s
>> Doing 1024 bit private rsa's for 10s: 14632 1024 bit private RSA's in 0.59s
>> Doing 1024 bit public rsa's for 10s: 28838 1024 bit public RSA's in 0.97s
>> Doing 2048 bit private rsa's for 10s: 4153 2048 bit private RSA's in 0.19s
>> Doing 2048 bit public rsa's for 10s: 12484 2048 bit public RSA's in 0.44s
>> Doing 4096 bit private rsa's for 10s: 14 4096 bit private RSA's in 10.03s
>> Doing 4096 bit public rsa's for 10s: 542 4096 bit public RSA's in 9.99s
>> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
>> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
>> CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2009-0590 CVE-2009-3555)
>> built on: date not available
>> options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial)
>> blowfish(ptr)
>> compiler: information not available
>> available timing options: TIMES TIMEB HZ=100 [sysconf value]
>> timing function used: times
>>                   sign    verify    sign/s verify/s
>> rsa  512 bits   0.0000s   0.0000s  26371.8  30565.1
>> rsa 1024 bits   0.0000s   0.0000s  24800.0  29729.9
>> rsa 2048 bits   0.0000s   0.0000s  21857.9  28372.7
>> rsa 4096 bits   0.7164s   0.0184s      1.4     54.3
>>
>>
>>
>>
>>
>> Le 22/01/2012 20:14, Yann Rouillard a écrit :
>>>
>>> I updated the openssl packages set so it follows the library package
>>> naming and the /etc/opt/csw/ configuration directory standards.
>>>
>>> I would welcome additionnal testing of the package before releasing them
>>> to the unstable repository.
>>>
>>> They are available in my experimental repository:
>>> http://buildfarm.opencsw.org/experimental.html#yann
>>>
>>> Thanks in advance for any feedback,
>>>
>>> Yann
>>> _______________________________________________
>>> maintainers mailing list
>>> maintainers at lists.opencsw.org
>>> https://lists.opencsw.org/mailman/listinfo/maintainers
>>> .:: This mailing list's archive is public. ::.
>>
>> _______________________________________________
>> maintainers mailing list
>> maintainers at lists.opencsw.org
>> https://lists.opencsw.org/mailman/listinfo/maintainers
>> .:: This mailing list's archive is public. ::.
> _______________________________________________
> maintainers mailing list
> maintainers at lists.opencsw.org
> https://lists.opencsw.org/mailman/listinfo/maintainers
> .:: This mailing list's archive is public. ::.

More information about the maintainers mailing list