On Fri, 2007-03-30 at 14:45 +0100, Malcolm wrote:[...]

You'll need to recompile Pound against your "private" OpenSSL version.
Try configure --with-ssl=/path/to/private/version, followed by make.[...]

Robert Segall wrote:[...][...][...]

Thanks, that makes sense.
So I tried to configure pound 1.10 --with-ssl=/path/to/private/version
And it complained that threads were not enabled.
So I re-compiled the cavium version of openssl with thread support..
Then configured pound 1.10 --with-ssl=/path/to/private/version
which seemed happy...

openssl speed dsa -engine cavium (still works)
But when I start pound it just logs:
pound: starting...
pound: could not find cavium engine

Any help appreciated..

I also note that if I put a rubbish (non-existent) path to the openssl files
then configure still works!
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
Where is it looking for these files?

On Tue, 2007-04-17 at 16:57 +0100, Malcolm wrote:[...]

So it's not compiled/linked against your "private" OpenSSL. Check the
Makefile (CFLAGS and LDFLAGS) to see why.

As an aside - 1.10 is a bit out of date, the current stable version is
2.3...
[...]

That's a common problem with autoconf - if it doesn't find your path it
will use the default stuff.[...]

Robert Segall wrote:[...]

Ah, thanks finally got it compiled :-).
I still need to do a export LD_LIBRARY_PATH=/usr/local/ssl/lib before 
starting pound but it works.

I'm now testing the performance using one config with the cavium engine 
and one without but I'm getting the same performance?
The log says that Pound is using engine cavium.
Am I doing something daft in the config or the test?

#Pound config
User    nobody
Group    nobody
ExtendedHTTP    0
WebDAV    0
LogLevel    0
RewriteRedirect    0
SSLEngine cavium

ListenHTTPS 192.168.1.75,444 /usr/local/etc/server1.pem
UrlGroup ".*"
BackEnd 127.0.0.1,80,1
EndGroup

openssl speed dsa

                  sign    verify    sign/s verify/s
dsa  512 bits 0.000264s 0.000306s   3783.1   3269.3
dsa 1024 bits 0.000707s 0.000826s   1414.7   1210.5
dsa 2048 bits 0.002229s 0.002659s    448.6    376.1

openssl speed dsa -engine cavium
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000039s 0.000306s  25961.5   3271.7
dsa 1024 bits 0.000062s 0.000855s  16160.8   1170.1
dsa 2048 bits 0.000067s 0.002583s  14882.7    387.2



Pound without CAVIUM
malcolm(at)Armari64:~$ ab -t 30 -c 1 https://192.168.1.75:444/
This is ApacheBench, Version 2.0.41-dev <$Revision: 1.141 $> apache-2.0
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright (c) 1998-2002 The Apache Software Foundation, 
http://www.apache.org/

Benchmarking 192.168.1.75 (be patient)
Completed 5000 requests
Finished 7311 requests


Server Software:        Apache/2.0.52
Server Hostname:        192.168.1.75
Server Port:            444

Document Path:          /
Document Length:        31 bytes

Concurrency Level:      1
Time taken for tests:   30.3090 seconds
Complete requests:      7311
Failed requests:        0
Write errors:           0
Total transferred:      2178678 bytes
HTML transferred:       226641 bytes
Requests per second:    243.67 [#/sec] (mean)
Time per request:       4.104 [ms] (mean)
Time per request:       4.104 [ms] (mean, across all concurrent requests)
Transfer rate:          70.89 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        2    2   0.9      2      59
Processing:     0    0   3.8      1     314
Waiting:        0    0   3.7      0     313
Total:          3    3   3.9      3     317

Percentage of the requests served within a certain time (ms)
  50%      3
  66%      3
  75%      3
  80%      3
  90%      3
  95%      4
  98%      4
  99%      4
 100%    317 (longest request)

Pound with CAVIUM

malcolm(at)Armari64:~$ ab -t 30 -c 1 https://192.168.1.75:444/
This is ApacheBench, Version 2.0.41-dev <$Revision: 1.141 $> apache-2.0
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright (c) 1998-2002 The Apache Software Foundation, 
http://www.apache.org/

Benchmarking 192.168.1.75 (be patient)
Completed 5000 requests
Finished 7472 requests


Server Software:        Apache/2.0.52
Server Hostname:        192.168.1.75
Server Port:            444

Document Path:          /
Document Length:        31 bytes

Concurrency Level:      1
Time taken for tests:   30.330 seconds
Complete requests:      7472
Failed requests:        0
Write errors:           0
Total transferred:      2226923 bytes
HTML transferred:       231632 bytes
Requests per second:    249.06 [#/sec] (mean)
Time per request:       4.015 [ms] (mean)
Time per request:       4.015 [ms] (mean, across all concurrent requests)
Transfer rate:          72.47 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        2    2   1.0      3      19
Processing:     0    0   0.3      0      21
Waiting:        0    0   0.3      0      21
Total:          3    3   0.4      3      24

Percentage of the requests served within a certain time (ms)
  50%      3
  66%      3
  75%      3
  80%      3
  90%      3
  95%      3
  98%      4
  99%      4
 100%     24 (longest request)

On Wed, 2007-04-18 at 10:44 +0100, Malcolm wrote:[...]

No, nothing wrong here.
[...]

These results are very suspect: you show a massive speed-up on signing,
but practically no change on verifying.

Even worse, signing tells you little about OpenSSL, as it is not used.
With SSL you use three things:

- some key exchange protocol, such as RSA or DH, once per session (on
very long sessions the key may be periodically renegotiated).
- symmetric encryption (RC4, 3DES, AES or whatever) using the previously
negotiated key. This makes up the vast bulk of the computational load.
- some hashing function (usually MD5 or SHA) to ensure integrity.

I would check the speeds using these algorithms - your CAVIUM card may
or may not help.
[...]

There is some improvement, which might be consistent with the CAVIUM
performance - or not. I would also check that your back-end can do more
than 250 requests per second (test it without SSL, directly and with
Pound, and see what results you get).[...]