nginx how too enable intel aesni engine

Maxim Dounin mdounin at
Thu Mar 10 04:34:07 MSK 2011


On Wed, Mar 09, 2011 at 04:14:16PM -0500, michaelvv wrote:

> Hi Maxim.
> I have put it into the global session , but i can not see any speed
> difference
> which where huge in openssl.
> Do you know any who have success getting it to work properly.
> I'm missing something but i have googled for 3 hours and i'm
> quite lost.
> Is there any way that i can see which engine nginx are using ?

The missing part is:

In openssl speed tests you see difference on block cipher speed, 
while in real life most cpu time is spent on assymetric 
algorithms during ssl handshake.

Compare the following results (both are from the same server, 
rather old and slow):

$ openssl speed aes-256-cbc
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc      12494.65k    12894.81k    13162.81k    13230.46k    13052.91k

$ openssl speed rsa4096
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.689448s 0.009975s      1.5    100.3

That is, with AES 256 this server is able to saturate 100 Mbps 
link easily.  But it is only able to handle about 1.5 handshakes per 
second with RSA 4096-bit key (the one with strength comparable to 
AES 256).

You may try testing if downloading really big file makes a 
difference on cpu usage with and without aesni engine activated, 
but you aren't likely to see any difference in real life.

Setting correct ssl_session_cache may be a much more significant 

Maxim Dounin

More information about the nginx mailing list