New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Enable hardware crypto acceleration on your Via Nano dedi
VIA PadLock Advanced Cryptography Engine (VIA PadLock ACE) is a technology used in many VIA processors that provides very fast hardware encryption and decryption.
Via Nano used in Online.net Kidechires and SCGen2 does support the Padlock extensions as well. In my tests enabling them in OpenSSL improves SHA1 performance by almost 4x, and drops the CPU load from HTTPS by 3x.
See my howto on rebuilding OpenSSL in Debian with Padlock support.
Let me know if it worked or not for you, also if it needs any clarifications or corrections.
Comments
sounds good
This is actually immensely nifty.
Nice, thanks for the article!
Is it possible to use this padlock thing with dm-crypt?
Unable to locate package libz1g-dev
any suggestion?
I believe dm-crypt should use it automatically, unrelated to rebuilding OpenSSL (since it's a kernel module and just uses the in-kernel crypto API directly), just make sure you use the cipher supported in hardware ("aes-cbc").
Of course your kernel should be compiled with it:
But I think that's already enabled by default in all distros.
You can also enable hardware acceleration in TOR, my cpu load is now 0.40 not 2.00, and the bandwidth has gone up quite a lot.
https://globe.thecthulhu.com/#/relay/9E8E20CD0B6F0DD91F320C9149CD51958E4C0357
Mh misterious. I get 6,4MB (advertised) without changing this.
error occurs when execute "apt-get install devscripts fakeroot build-essential libz1g-dev"
Unable to locate package libz1g-dev
does anyone can help?
@hotsnow sorry, this seems to be a typo, try "zlib1g-dev".
yep, it's ok now, thanks
What's your relay name?
PM'ed you
I'm not 100 % sure, but isn't hardware acceleration enabled by default for Tor (if available) when used with OpenSSL 1.0.1+?
You still need to patch OpenSSL, as even 1.0.1+ does not include the Padlock support in its "default" form.
I know, but Tor needed to be explicitly configured to use hardware acceleration with older OpenSSL versions and that's no longer the case IIRC, that's what I was asking
How to do thsi on centos?
1) backup files
2) reinstall to debian
3) restore files
4) use https://romanrm.net/openssl-padlock
A solution without changing the OS would be cool lol
sepei, could be that its already in the tree
openssl engine padlock should not give out an error
Do you need to restart the processes after applying the patch? I don't want to lose my uptime on tor if I don't have to.
Yes you do, else they keep using the previous version of the OpenSSL library.
I get this error at the dpkg-build bit near the end:
installing man1/CA.pl.1ssl
installing man1/asn1parse.1ssl
installing man1/c_rehash.1ssl
installing man1/ca.1ssl
installing man1/ciphers.1ssl
installing man1/cms.1ssl
cms.pod around line 457: Expected text after =item, not a number
cms.pod around line 461: Expected text after =item, not a number
cms.pod around line 465: Expected text after =item, not a number
cms.pod around line 470: Expected text after =item, not a number
cms.pod around line 474: Expected text after =item, not a number
POD document had syntax errors at /usr/bin/pod2man line 71.
make[1]: *** [install_docs] Error 255
make[1]: Leaving directory `/root/openssl-1.0.1e'
make: *** [install] Error 2
dpkg-buildpackage: error: debian/rules binary gave error exit status 2
Not really sure how to advance. I'm new to compiling stuff too, so sorry if this was obvious.
Hmm, looks like this patch crashes tor for me
I am currently doing 3 MB with a 57-60% load. It was going very well, always up until the 10th or so, then dropped to half, stayed there for 3 days, then starting to go back up. I was never limited by CPU, I am not sure it is a BW issue either, each time I tried I had good connection on top of Tor.
I will wait to see if it saturates the CPU and if it does, at how much traffic per second that happens. Then I will see what can be done, but until the CPU is not saturated, I suspect other causes.
Remember, a Tor node doesn't reach its full capacity until it has been up for two months.
I got some dedis with the last offer and Tor is working slower than previously for me too, but I expect it to hopefully speed up during January.
I know but that does not explain the halving of traffic on the 10th and stay down at about same level for 3 days for no apparent reason, my attempts to see what is wrong failed so, I guess I will have to wait and see.
Which OS do you use? There are some fixes for your error messages: https://startpage.com/do/search?cat=web&cmd=process_search&language=english&engine0=v1all&query="cms.pod+around+line+457:+Expected+text+after+=item,+not+a+number"&abp=1&x=0&y=0
But I'm wondering why you got these and I haven't.
Personally did not try Tor with these patches, do other apps work fine? E.g. the "openssl sha1" test mentioned in the howto, or "openssl speed -evp aes-128-cbc -engine padlock"?
Yep. There's a significant performance gain with the padlock patch on openSSL. Tor seems to be the only program that doesn't work.
But I'm wondering why you got these and I haven't.
Ubuntu 14.10
Thanks for the suggestion but i fixed it by using a patch that patched the manpages. Now i'm seeing 200+MB/s on your test, up from ~45MB/s. Thanks a lot for the thread, this might allow me to squeeze some extra juice out of my dedis.
https://blog.torproject.org/blog/lifecycle-of-a-new-relay
You got your Kidechire on November 28th, right, and I think you said in another thread you set up Tor a few days after that? A load drop on December 10th would seem to fit the new relay timeline pretty closely.