Tengine SSL Async Acceleration with Intel QAT: Architecture, Principles, and Performance Evaluation

Although HTTPS is widely adopted, it can degrade website speed and increase CPU load, prompting the need for hardware offload solutions; Tengine addresses this by integrating Intel QuickAssist Technology (QAT) to accelerate SSL/TLS processing.

Tengine 2.2.2 introduces several new features, including the ssl_async directive for asynchronous OpenSSL operations, TLS 1.3 0‑RTT support, and an upstream include directive, all of which enable the server to offload cryptographic workloads to QAT hardware.

The acceleration framework consists of three components: the ssl_async command in Tengine, the OpenSSL + QAT Engine, and the QAT driver; Tengine adapts OpenSSL 1.1.0’s async API to delegate private‑key operations to the QAT engine, which communicates with the hardware via the driver.

When a TLS handshake requires a private‑key operation, Tengine receives an SSL_ERROR_WANT_ASYNC error, registers the engine‑provided eventfd with its epoll loop, and continues handling other connections; once the QAT engine signals completion through the eventfd, Tengine re‑enters the OpenSSL API to finish the handshake, thus maximizing concurrency.

Performance tests on a 32‑core Xeon E5‑2650 v2 system (10 GbE NIC, OpenSSL 1.1.0‑f, QAT engine v0.5.30) show that enabling ssl_async with QAT yields significant throughput gains: for RSA‑RSA‑AES128‑GCM‑SHA256, 8 cores achieve 17.6 k QPS (3.8× faster than the non‑accelerated version); for ECDHE‑RSA‑AES128‑GCM‑SHA256, 16 cores reach 15 k QPS (2.65×); and for ECDHE‑ECDSA‑AES128‑GCM‑SHA256 (P‑384), 16 cores double the performance.

The study concludes that QAT‑based async acceleration can dramatically improve HTTPS handling in Tengine, especially for RSA‑based suites, while noting that gains vary with cipher choice and that certain configurations (e.g., ECDHE‑ECDSA P‑256) see modest improvements.