Leverage hardware and software to improve ECDHE and ECDSA cipher performance
This enhancement is applicable only to the following platforms:
- MPX/SDX 11000
- MPX/SDX 14000
- MPX 22000, MPX 24000, and MPX 25000
- MPX/SDX 14000 FIPS
Previously, ECDHE and ECDSA computation on a Citrix ADC appliance was performed only on the hardware (Cavium chips), which limited the number of SSL sessions at any given time. With this enhancement, some operations are also performed in the software. That is, processing is done both on the Cavium chips and on the CPU cores to improve ECDHE and ECDSA cipher performance.
The processing is first performed in software, up to the configured software crypto threshold. After this threshold is reached, the operations are offloaded to the hardware. Therefore, this hybrid model leverages both hardware and software to improve SSL performance. You can enable the hybrid model by setting the “softwareCryptoThreshold” parameter to suit your requirement. To disable the hybrid model, set this parameter to 0.
Benefits are greatest if the current CPU utilization is not too high, because the CPU threshold is not exclusive to ECDHE and ECDSA computation. For example, if the current workload on the Citrix ADC appliance consumes 50% of the CPU cycles, and the threshold is set to 80%, ECDHE and ECDSA computation can use an extra 30% of the cycles. After the configured software crypto threshold of 80% is reached, further ECDHE and ECDSA computation is offloaded to the hardware. In that case, actual CPU utilization might exceed 80%, because performing ECDHE and ECDSA computations in hardware consumes some CPU cycles.
Enable the hybrid model by using the CLI
At the command prompt, type:
set ssl parameter -softwareCryptoThreshold <positive_integer> Synopsis: softwareCryptoThreshold: Citrix ADC CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software. Default = 0 Min = 0 Max = 100
>set ssl parameter - softwareCryptoThreshold 80 Done >show ssl parameter Advanced SSL Parameters SSL quantum size : 8 KB Max CRL memory size : 256 MB Strict CA checks : NO Encryption trigger timeout : 100 ms Send Close-Notify : YES Encryption trigger packet c : 45 Deny SSL Renegotiation : ALL Subject/Issuer Name Insertion Format : Unicode OCSP cache size : 10 MB Push flag : 0x0 (Auto) Strict Host Header check for SNI enabled SSL sessions : NO PUSH encryption trigger timeout : 1 ms Crypto Device Disable Limit : 0 Global undef action for control policies : CLIENTAUTH Global undef action for data policies : NOOP Default profile : DISABLED Disable TLS 1.1/1.2 for SSL_BRIDGE secure monitors : NO Disable TLS 1.1/1.2 for dynamic and VPN services : NO Software Crypto acceleration CPU Threshold : 80 Signature and Hash Algorithms supported by TLS1.2 : ALL
Enable the hybrid model by using the GUI
- Navigate to Traffic Management > SSL > Change advanced SSL settings.
- Enter a value for Software Crypto Threshold (%).