Cavium III SSL Accelerator Performance Switch

Customers with LoadMaster hardware (for example, an LM-X40) with a Cavium III hardware SSL accelerator installed have reported performance issues when using the Cavium III hardware with TLS 1.3. A new drop-down list has been introduced in LoadMaster firmware version 7.2.53 (and Long Term Support (LTS) version 7.2.48.3) on the Network Options page in the User Interface (UI) that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries, which do not exhibit the performance issues seen with the 1.1.1 libraries. Unfortunately, the older 1.0.2 libraries do not support TLS 1.3, so TLS 1.3 will not be available for incoming client connections after switching to the older libraries.

Consult with Kemp Support before enabling this workaround.

Also note:

  • Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.

  • When using the older 1.0.2 libraries, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.

  • If you switch from using the older 1.0.2 libraries to using the 1.1.1 libraries, TLS1.3 is automatically re-enabled on all Virtual Services.

  • The library selection option is not available on LoadMasters that include the Cavium V acelerator hardware. Those cards do not support the older 1.0.2 libraries.

You can access the new OpenSSL Version drop-down list by going to System Configuration > Miscellaneous Options > Network Options. By default, the LoadMaster uses the latest version of OpenSSL.

This option is not applicable for Cavium V machines - those cards do not support the old libraries. Therefore, this option is not applicable following LoadMaster/Kemp ECS Connection Manager models:
- LM-X25
- LM-X40 Rev 05
- LM-X40M
- LM XHC 25G/40G/100G
- ECS Connection Manager H3 Rev 02
- ECS Connection Manager H3M
- ECS Connection Manager H3 25G/40G/100G
For these LoadMaster models, the OpenSSL Version field is available but the LoadMaster will continue to use the current OpenSSL implementation even if the OpenSSL Version field is set to Use older SSL library - no TLS 1.3.

RESTful Application Programming Interface (API) Details

You can retrieve the value of the Openssl version field by running a get command on the parameter SSLOldLibraryVersion, for example:

/access/get?param=SSLOldLibraryVersion

You can configure the SSLOldLibraryVersion parameter by running the set command, for example:

/access/set?param=SSLOldLibraryVersion&value=1

Valid values:

  • 0 - Use current SSL library + TLS 1.3

  • 1 - Use older SSL library - no TLS 1.3

For further details on the RESTful API in general, refer to the Long Term Support (LTS) RESTful API Interface Description document.

Was this article helpful?

0 out of 0 found this helpful

Comments