Hello, I have a server with MCX623106AC-CDAT and I am trying to use the TLS hardware encryption support of the card. I’ve tested several ciphers with nginx ktls enabled web server and it successfully offloads the TLS encryption to the card when using the ciphers based on AES128 GCM SHA256 such as ECDHE-RSA-AES128-GCM-SHA256, AES128-GCM-SHA256, AES128-SHA256 and more, which are TLS v1.2. But trying to use cipher TLS_AES_128_GCM_SHA256, which is TLS 1.3 the packets are not encrypted in the card. This card MCX623106AC-CDAT is a Crypto card, which should support “Inline hardware TLS encryption and decryption > AES-GCM 128/256-bit key.” (taken from the connectX-6-dx-datasheet.pdf). First, how may I check which exactly ciphers the card supports? And does my card support TLS offloading using cipher TLS_AES_128_GCM_SHA256 (i.e. AES128 in Galois/Counter mode GCM with 256 SHA hash with TLS1.3)? And lastly, it is written “AES-GCM 128/256-bit key.” in the documentation, which means AES128 in GCM mode with 256 SHA key or AES256 in GCM mode with 384 SHA key - it is written really ambiguous.
Does connectX-6-dx card support TLS offloading with AES256 and TLS 1.3?
To check which ciphers the MCX623106AC-CDAT card supports, you can consult the product documentation or contact the manufacturer’s support team for more information.
Regarding your question about whether the card supports TLS offloading using cipher TLS_AES_128_GCM_SHA256, it’s difficult to say for certain without knowing more about the specific implementation of the card’s hardware encryption engine. However, in general, support for TLS 1.3 ciphers like TLS_AES_128_GCM_SHA256 requires hardware engines with specific cryptographic primitives and key sizes.
As for the ambiguity in the documentation, it’s possible that the statement “AES-GCM 128/256-bit key” is referring to support for both AES128 and AES256 in GCM mode, with SHA256 as the hash function. Without more context, it’s difficult to say for certain. Again, the best approach would be to consult the product documentation or contact the manufacturer’s support team for clarification.