Use hardware and software to improve ECDHE and ECDSA cipher performance
This enhancement is applicable only to the following platforms:
- MPX/SDX 11000
- MPX/SDX 14000
- MPX 22000, MPX 24000, and MPX 25000
- MPX/SDX 14000 FIPS
Previously, ECDHE and ECDSA computation on a Citrix ADC appliance was performed only on the hardware (Cavium chips), which limited the number of SSL sessions at any given time. With this enhancement, some operations are also performed in the software. That is, processing is done both on the Cavium chips and on the CPU cores to improve ECDHE and ECDSA cipher performance.
The processing is first performed in software, up to the configured software crypto threshold. After this threshold is reached, the operations are offloaded to the hardware. Therefore, this hybrid model uses both hardware and software to improve SSL performance. You can enable the hybrid model by setting the “softwareCryptoThreshold” parameter to suit your requirement. To disable the hybrid model, set this parameter to 0.
Benefits are greatest if the current CPU utilization is not too high, because the CPU threshold is not exclusive to ECDHE and ECDSA computation. For example, if the current workload on the appliance consumes 50% of the CPU cycles, and the threshold is set to 80%, ECDHE and ECDSA computation can only use 30%. After the configured software crypto threshold of 80% is reached, further ECDHE and ECDSA computation is offloaded to the hardware. In that case, actual CPU utilization might exceed 80%, because performing ECDHE and ECDSA computations in hardware consumes some CPU cycles.
Enable the hybrid model by using the CLI
At the command prompt, type:
set ssl parameter -softwareCryptoThreshold <positive_integer> Synopsis: softwareCryptoThreshold: Citrix ADC CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software. Default = 0 Min = 0 Max = 100
set ssl parameter - softwareCryptoThreshold 80 Done show ssl parameter Advanced SSL Parameters SSL quantum size : 8 KB Max CRL memory size : 256 MB Strict CA checks : NO Encryption trigger timeout : 100 ms Send Close-Notify : YES Encryption trigger packet c : 45 Deny SSL Renegotiation : ALL Subject/Issuer Name Insertion Format : Unicode OCSP cache size : 10 MB Push flag : 0x0 (Auto) Strict Host Header check for SNI enabled SSL sessions : NO PUSH encryption trigger timeout : 1 ms Crypto Device Disable Limit : 0 Global undef action for control policies : CLIENTAUTH Global undef action for data policies : NOOP Default profile : DISABLED Disable TLS 1.1/1.2 for SSL_BRIDGE secure monitors : NO Disable TLS 1.1/1.2 for dynamic and VPN services : NO Software Crypto acceleration CPU Threshold : 80 Signature and Hash Algorithms supported by TLS1.2 : ALL
Enable the hybrid model by using the GUI
- Navigate to Traffic Management > SSL > Change advanced SSL settings.
- Enter a value for Software Crypto Threshold (%).
Set an SNMP alarm for ECDHE exchange rate
ECDHE-based key exchange can cause the transactions per second on the appliance to drop. From release 13.0 build 52.x, you can configure an SNMP alarm for ECDHE-based transactions. In this alarm, you can set the threshold and normal limits for the ECDHE exchange rate. A new counter
nsssl_tot_sslInfo_ECDHE_Tx is added. This counter is the sum of all the ECDHE-based transaction counters on the front-end and back-end of the appliance. When the ECDHE-based key exchange crosses the configured limits an SNMP trap is sent. Another trap is sent when the value is back to the configured normal value.
Set an SNMP alarm for ECDHE exchange rate using the CLI
At the command prompt, type:
set snmp alarm ECDHE-EXCHANGE-RATE -logging ( ENABLED | DISABLED ) -severity <severity> -state ( ENABLED | DISABLED ) -thresholdValue <positive_integer> [-normalValue <positive_integer>] -time <secs>
set snmp alarm ECDHE-EXCHANGE-RATE -logging eNABLED -severity critical -state eNABLED -thresholdValue 100 -normalValue 50