2011年3月9日星期三

Re: nginx how too enable intel aesni engine

Hello!

On Wed, Mar 09, 2011 at 04:14:16PM -0500, michaelvv wrote:

> Hi Maxim.
>
> I have put it into the global session , but i can not see any speed
> difference
> which where huge in openssl.
> Do you know any who have success getting it to work properly.
> I'm missing something but i have googled for 3 hours and i'm
> quite lost.
> Is there any way that i can see which engine nginx are using ?

The missing part is:

In openssl speed tests you see difference on block cipher speed,
while in real life most cpu time is spent on assymetric
algorithms during ssl handshake.

Compare the following results (both are from the same server,
rather old and slow):

$ openssl speed aes-256-cbc
...
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256 cbc 12494.65k 12894.81k 13162.81k 13230.46k 13052.91k

$ openssl speed rsa4096
...
sign verify sign/s verify/s
rsa 4096 bits 0.689448s 0.009975s 1.5 100.3

That is, with AES 256 this server is able to saturate 100 Mbps
link easily. But it is only able to handle about 1.5 handshakes per
second with RSA 4096-bit key (the one with strength comparable to
AES 256).

You may try testing if downloading really big file makes a
difference on cpu usage with and without aesni engine activated,
but you aren't likely to see any difference in real life.

Setting correct ssl_session_cache may be a much more significant
optimization.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

没有评论:

发表评论