A long time ago, I posted an article about advantages of hardware accelerated SSL encryption, and how to get it working on Fedora Linux. Since then, some things have improved, and some things have regressed.
- OpenSSL patches have been added that fix problems with certificate signing when using hardware acceleration.
- RedHat have broken OpenSSH with their audit patch. This is particularly inconsistent with the fact that the distro supplied openssh package in EL6 is built with the –with-ssl-engine option, to enable support for hardware crypto acceleration, yet this is clearly completely untested, which begs the question of what the point of it is.
Thankfully, the regression mentioned above can be fixed to make sshd work properly with hardware crypto offload.
Here are links to patched OpenSSL and OpenSSH packages for EL6, current at the time of writing this article:
While ssh with using the blowfish algorithm in software is very fast and good enough for general purpose ssh usage, for some operations, such as transferring ZFS snapshots over ssh, using hardware offloaded AES provides a very welcome performance boost, because it leaves more CPU available for other processes.