NimbostratusMy ssl profile uses ciphers "default" show /ltm profile client-ssl myprofile gives this: (i've just recently reset the stats)
SSL Hardware Acceleration Full 32.4K Partial 14.1K None (Software) 47
What are those Partial transactions? And how might I go about getting everything to be fully hw accelerated?
CirrostratusI believe Partial relates to where a COMPAT cipher is negotiated and OpenSSL is used. Its partial because the handshake is always handled in hardware but the bulk crypto operations then move to OpenSSL if a COMPAT cipher is in use.
No clue about the None related output.
To have everything h/w accelerated, change your cipher string to NATIVE (or DEFAULT if you're on v11 I think) but do some research on what that might mean for your clients and what ciphers will be available. Start here with that: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
NimbostratusHi thanks for replying. I'm already using DEFAULT cipher suite, so its nothing to do with COMPAT. We're on version 11.4.1 with latest hotfix. Anyway, support came back to me with a suggestion that since I was sorting the ciphers by strength the inital handshake had to be done by the tmm. I'm not sure that is entirely accurate however as I am still seeing partial transactions after disabling the :@STRENGTH.
CirrostratusPerhaps try NATIVE rather than DEFAULT. I'm not confident it'll help mind.
I'd speculate its related to particular ciphers that use ECDHE and the like.
CirrostratusI don't think it's necessarily anything to do with NATIVE. I'm seeing 100% Native and 0% Compatibility for all connections, but still getting a good chunk of Partial under the SSL acceleration table.
Employeecan you open a support case to verify?
i do see a couple of bug but do not know whether it matches yours.
e.g.
ID477950 partial acceleration with session resumption using some ciphers
CirrostratusI've opened a case with F5. Incidentally, I upgraded from 11.5.1 HF4 to HF6 last night, and the ratio of partial accelerations appears to have dropped significantly. So it could very well be a software bug.
CirrostratusI got two possible answers back from F5 support. They first said you'd see a Partial when the SSL handshake is done in hardware, but the data connection is not. For example if using RSA+3DES+MD5.
I pointed out that we manually limit our ciphers to those with Native, and the Connections table confirms that 100% of all connections have been Native. They offered this alternate explanation:
The connections listed as "Partial" are very likely the resumed SSL sessions, in which the bulk cryptography is hardware-accelerated but the handshake for the resumed session is handled in software.
I suppose I could disable SSL session resumption to confirm this, but probably will not worry about it. We use the F5 for large file transfers, so are actually more concerned about the data connection than the handshake.
EmployeeThe connections listed as "Partial" are very likely the resumed SSL sessions, in which the bulk cryptography is hardware-accelerated but the handshake for the resumed session is handled in software.
thanks for update. this is new to me (i thought resumed session is hardware-accelerated too).