-
Ciphers available on the Citrix ADC appliances
-
Diffie-Hellman (DH) key generation and achieving PFS with DHE
-
Leverage hardware and software to improve ECDHE and ECDSA cipher performance
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Leverage hardware and software to improve ECDHE and ECDSA cipher performance
Note:
This enhancement is applicable only to the following platforms:
- MPX/SDX 11000
- MPX/SDX 14000
- MPX 22000, MPX 24000, and MPX 25000
- MPX/SDX 14000 FIPS
Previously, ECDHE and ECDSA computation on a Citrix ADC appliance was performed only on the hardware (Cavium chips), which limited the number of SSL sessions at any given time. With this enhancement, some operations are also performed in the software. That is, processing is done both on the Cavium chips and on the CPU cores to improve ECDHE and ECDSA cipher performance.
The processing is first performed in software, up to the configured software crypto threshold. After this threshold is reached, the operations are offloaded to the hardware. Therefore, this hybrid model leverages both hardware and software to improve SSL performance. You can enable the hybrid model by setting the “softwareCryptoThreshold” parameter to suit your requirement. To disable the hybrid model, set this parameter to 0.
Benefits are greatest if the current CPU utilization is not too high, because the CPU threshold is not exclusive to ECDHE and ECDSA computation. For example, if the current workload on the Citrix ADC appliance consumes 50% of the CPU cycles, and the threshold is set to 80%, ECDHE and ECDSA computation can use an extra 30% of the cycles. After the configured software crypto threshold of 80% is reached, further ECDHE and ECDSA computation is offloaded to the hardware. In that case, actual CPU utilization might exceed 80%, because performing ECDHE and ECDSA computations in hardware consumes some CPU cycles.
Enable the hybrid model by using the CLI
At the command prompt, type:
set ssl parameter -softwareCryptoThreshold <positive_integer>
Synopsis:
softwareCryptoThreshold:
Citrix ADC CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software.
Default = 0
Min = 0
Max = 100
<!--NeedCopy-->
Example:
>set ssl parameter - softwareCryptoThreshold 80
Done
>show ssl parameter
Advanced SSL Parameters
SSL quantum size : 8 KB
Max CRL memory size : 256 MB
Strict CA checks : NO
Encryption trigger timeout : 100 ms
Send Close-Notify : YES
Encryption trigger packet c : 45
Deny SSL Renegotiation : ALL
Subject/Issuer Name Insertion Format : Unicode
OCSP cache size : 10 MB
Push flag : 0x0 (Auto)
Strict Host Header check for SNI enabled SSL sessions : NO
PUSH encryption trigger timeout : 1 ms
Crypto Device Disable Limit : 0
Global undef action for control policies : CLIENTAUTH
Global undef action for data policies : NOOP
Default profile : DISABLED
Disable TLS 1.1/1.2 for SSL_BRIDGE secure monitors : NO
Disable TLS 1.1/1.2 for dynamic and VPN services : NO
Software Crypto acceleration CPU Threshold : 80
Signature and Hash Algorithms supported by TLS1.2 : ALL
<!--NeedCopy-->
Enable the hybrid model by using the GUI
- Navigate to Traffic Management > SSL > Change advanced SSL settings.
- Enter a value for Software Crypto Threshold (%).
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.