Squid package can utilize hardware based cryptographic acceleration

JonathanLee

Hello fellow Netgate community members,

I wanted to let you know after some research that you can access the cryptographic acceleration for certificate generation with use of ssl intercept mode. This vastly improves performance.

I am using this directive within an older Squid package.

ssl_engine devcrypto

Testing of this with ssl bump active and system certificates installed shows vast improvements.

Also you can check useage with

vmstat -i | grep safexcel

It will increment when loading webpages with the proxy active in ssl intercept mode.

This is amazing!!!! Keep in mind not all Squid versions have support for the ssl_engine directive.

A quote from Squid Support...

".... BUT "ssl_engine" is ...

>
>        Not supported in builds with OpenSSL 3.0 or newer.
>


If your Squid is built for libssl 3.0 or later, you may be able to
configure /etc/ssl/openssl.cnf default provider to be the one you want.
Such that Squid does not have to do anything for it to work.


I expect all the details relating to how devcrypto does its thing to be
configured in /etc/ssl/openssl.cnf.

You may find this discussion from the OpenSSL community helpful:
  <https://github.com/openssl/openssl/issues/10701>

(FTR; the

HTH
Amos"

Ref:
https://www.squid-cache.org/Doc/config/ssl_engine/

michmoor

@JonathanLee
dude...you are now the official maintainer of the Squid package!
All jokes aside, have you considered reaching out to Netgate to see what can be done by you to be the maintainer? You clearly have the knowledge about the application and importantly you have the desire to see it improve for everyone. I say go for it.....

ngr2001

@JonathanLee

Does that include QAT Support ?

JonathanLee

@ngr2001 I don’t know try the directive to see it if works, I do not have that crypto chip