Citrix ADC

Leverage hardware and software to improve ECDHE and ECDSA cipher performance

Note:

This enhancement is applicable only to the following platforms:

  • MPX/SDX 11542
  • MPX/SDX 14000
  • MPX 22000, MPX 24000, and MPX 25000
  • MPX/SDX 14000 FIPS

Previously, ECDHE and ECDSA computation on a Citrix ADC appliance was performed only on the hardware (Cavium chips), which limited the number of SSL sessions at any given time. With this enhancement, some operations are also performed in the software. That is, processing is done both on the Cavium chips and on the CPU cores to improve ECDHE and ECDSA cipher performance.

The processing is first performed in software, up to the configured software crypto threshold. After this threshold is reached, the operations are offloaded to the hardware. Therefore, this hybrid model leverages both hardware and software to improve SSL performance. You can enable the hybrid model by setting the “softwareCryptoThreshold” parameter to suit your requirement. To disable the hybrid model, set this parameter to 0.

Benefits are greatest if the current CPU utilization is not too high, because the CPU threshold is not exclusive to ECDHE and ECDSA computation. For example, if the current workload on the Citrix ADC appliance consumes 50% of the CPU cycles, and the threshold is set to 80%, ECDHE and ECDSA computation can use an additional 30% of the cycles. After the configured software crypto threshold of 80% is reached, further ECDHE and ECDSA computation is offloaded to the hardware. In that case, actual CPU utilization might exceed 80%, because performing ECDHE and ECDSA computations in hardware consumes some CPU cycles.

Enable the hybrid model by using the CLI

At the command prompt, type:

set ssl parameter -softwareCryptoThreshold <positive_integer>

Synopsis:

softwareCryptoThreshold:

Citrix ADC CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software.

Default = 0

Min = 0

Max = 100

Example:

set ssl parameter - softwareCryptoThreshold 80
Done

show ssl parameter
Advanced SSL Parameters

SSL quantum size                  : 8 KB
Max CRL memory size               : 256 MB
Strict CA checks                  : NO
Encryption trigger timeout        : 100 ms
Send Close-Notify                 : YES
Encryption trigger packet c       : 45
Deny SSL Renegotiation            : ALL
Subject/Issuer Name Insertion Format : Unicode
OCSP cache size                   : 10 MB
Push flag                         : 0x0 (Auto)
Strict Host Header check for SNI enabled SSL sessions : NO
PUSH encryption trigger timeout   : 1 ms
Crypto Device Disable Limit       : 0
Global undef action for control policies : CLIENTAUTH
Global undef action for data policies : NOOP
Default profile                   : DISABLED
Disable TLS 1.1/1.2 for SSL_BRIDGE secure monitors    : NO
Disable TLS 1.1/1.2 for dynamic and VPN services : NO
Software Crypto acceleration CPU Threshold : 80
Signature and Hash Algorithms supported by TLS1.2 : ALL

Enable the hybrid model by using the GUI

  1. Navigate to Traffic Management > SSL > Change advanced SSL settings.
  2. Enter a value for Software Crypto Threshold (%).

Set an SNMP alarm for ECDHE exchange rate

ECDHE-based key exchange can cause the transactions per second on the appliance to drop. From release 13.0 build 52.x, you can configure an SNMP alarm for ECDHE-based transactions. In this alarm, you can set the threshold and normal limits for ECDHE exchange rate. A new counter nsssl_tot_sslInfo_ECDHE_Tx is added. This counter is the sum of all the ECDHE-based transaction counters on the front-end and back-end of the appliance. When the ECDHE-based key exchange crosses the configured limits an SNMP trap is sent. Another trap is sent when the value is back to the configured normal value.

Set an SNMP alarm for ECDHE exchange rate using the CLI

At the command prompt, type:

set snmp alarm ECDHE-EXCHANGE-RATE -logging ( ENABLED | DISABLED ) -severity <severity>
 -state ( ENABLED | DISABLED ) -thresholdValue <positive_integer>  [-normalValue <positive_integer>] -time <secs>

Example:

set snmp alarm ECDHE-EXCHANGE-RATE -logging eNABLED -severity critical -state eNABLED -thresholdValue 100 -normalValue 50

Leverage hardware and software to improve ECDHE and ECDSA cipher performance