RHEL 7 HAProxy 1.5.x and custom openssl engines

Latest response

Hi,

I was wondering if there is an option, like in apache mod_ssl 'SSLCryptoDevice engine' to change the default cryptoengine to use Hardware Security Modules (for example Thales/nCipher chill engine)? I know that HAProxy uses openssl as a encryption/SSL/TLS layer, so it might be very useful.

Krzysztof

Responses

Hi Krzysztof,

no currently haproxy on RHEL 7.0 does not support OpenSSL engine offloading. Such support has never made its way upstream, even though some discussions took place. Mostly due to the fact that with today's CPUs and with general size of the request the performance benefits were too small.

regards,
Michele