| Bill Jonas on Tue, 24 Sep 2002 17:00:19 +0200 |
|
There was a discussion on debian-devel recently in which optimized versions of OpenSSL were discussed. Debian policy is not to provide optimized binaries for purposes of greatest compatibility and not to provide them along with the baseline (say, 386, in the case of IA32) binaries because of the potential bloat to the archive size, requiring more space on mirrors and so forth. But it turns out that the lowest-common-denominator gcc target for SPARC, SPARC v7, is horribly inefficient for math-intensive operations than it needs to be on SPARC v8 and above. One reason for this is that v7 lacks hardware multiplication and division instructions, so this has to be emulated in the software instructions which are generated. (It was also said that a little optimization goes a long way on other platforms, too.) Cryptography is, of course, very math-intensive work. For those that are running older SPARCstations (I have a SPARC 10, myself), I'm sure you've noticed the horribly long delay when establishing an ssh connection, especially with v2 of the SSH protocol. (It wasn't so bad with v1, but there are some flaws in that version of the protocol.) I myself clocked "time ssh <host> exit" as being consistently around 20 seconds. So following that thread on debian-devel (beginning at <http://lists.debian.org/debian-devel/2002/debian-devel-200209/msg00267.html>), I became very interested in recompiling libssl, targeting the binary at slightly more capable hardware. Unfortunately, the method to optimize the compilation process for OpenSSL is, as is mentioned in the thread, quite non-obvious. Many thanks to Chris Mason (chris@k-rad.org) for pointing me in the right direction with this. First, run "apt-get source libssl0.9.6". Ensure that you have a deb-src line for security.debian.org in your sources.list or else you will wind up compiling and installing a version of OpenSSL which has a vulnerability. (I think that on woody installs, a deb line for security.d.o is put in your sources.list by default, but a deb-src line is not.) Change into the directory just created (openssl-0.9.6c). Edit the Configure script and find '^"debian-sparc"' (or replace "sparc" with the architecture for which you are compiling this package). Find '"gcc:' near the beginning of that line and add '-mv8' after it to compile for v8 (or see gcc(1) and pick an optimization; I used '-msupersparc'). The person with which I was speaking recommended running "dch -i" to bump the version number; I chose not to do this and haven't had any problems. You may wish to do so, though, and add your own changelog entry. You'll probably want to increment the version by .1 instead of 1 so that updated packages will get installed when they are available. Now, just run dpkg-buildpackage or debuild or your method of choice for building a Debian package. You'll get four .deb files in the parent directory; install them. Now just restart any daemons which use OpenSSL (sshd, apache-ssl, etc) so they will use the new versions of the libraries, and you'll be all set. After performing this step, I got a five-fold speedup in running "time ssh <host> exit"; it now takes just under four seconds to complete. Not bad. Not bad at all. -- Bill Jonas * bill@billjonas.com * http://www.billjonas.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin Attachment:
pgpCaQdYZHXfq.pgp
|
|