Forum Discussion

JPcaceresMorale's avatar
JPcaceresMorale
Icon for Nimbostratus rankNimbostratus
Jun 14, 2018

Crypto irule cpu consumption

Hi all,

 

I have an irules to decrypt all http payload request and other to encrypt all http payload response, it works perfectly, but the CPU consumption of TMM is very high. Anyone have experience with these irules ?? Can it be optimized so that it does not use so much CPU? Thank you

 

My have a i5800 series

 

thanks all

 

JP

 

  • when RULE_INIT {
             set static::hexkey "xxxxxxxxxxxxxxxxx"
             log local0.info"====Rule_Init===="
             log local0.info "Key is $static::hexkey"
             log local0.info"================="
        }
    
        when HTTP_REQUEST {
           HTTP::header remove "Accept-Encoding"
           if { [HTTP::version] eq "1.1" } {
               if { [HTTP::header is_keepalive] } {
                   HTTP::header replace "Connection" "Keep-Alive"
               }
               HTTP::version "1.0"
           }
    
          if {[HTTP::method] != "OPTIONS"}{
            if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
             if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
                    Trigger collection for up to 1MB of data
                    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
                    set content_length [HTTP::header "Content-Length"]
                    } else {
                     set content_length 1048576
             }
    
              Check if $content_length is not set to 0
             if { $content_length > 0} {
               HTTP::collect $content_length
             }
          }
            }
          }
        }
    
        when HTTP_REQUEST_DATA {
    
        if {[HTTP::method] != "OPTIONS"}{
           if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{ 
            if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
             log local0.info [HTTP::uri]
             set iv "xxxxxxxxxx"
             set paiload [HTTP::payload]
             log local0.info "payload: $paiload"
             set payload_without_json [string map {\{ {} \} {} \[ {} \] {} \" {} set {} value {} \: {}} $paiload]
             log local0.info "sin json:  $payload_without_json"
             set text_to_decrypt [b64decode $payload_without_json]
             log local0.info "dato encriptado: $text_to_decrypt"
             set dec_out_no_binary [CRYPTO::decrypt -alg aes-128-cbc -keyhex $static::hexkey -ivhex $iv $text_to_decrypt]
             binary scan $dec_out_no_binary H* enc_hex
             log local0.info "dato desencriptado: $dec_out_no_binary"
             HTTP::payload replace 0 [HTTP::payload length] $dec_out_no_binary
             HTTP::release
        }
        }
        }
        }
    
  • JPcaceresMorales,

     

    Crypto operations in TCL are CPU-intensive, so encrypting/decrypting requests will utilize significant CPU.

     

    Is there a reason that the Request/Response Body is encrypted in this way, as opposed to just relying on SSL/TLS encryption (which is hardware offloaded)?