Hi JT, I can't explain the differences between different OpenSSL versions on different platforms (Linus vs. FreeBSD), but there is a way to artificially disable the AES-NI detection by setting OPENSSL_ia32cap="~0x200000200000000" to disable AES-NI usage.
For Example: pbx ~ # system-vendor Qotom Q530G6 CPU i3-6100U NIC x6 pbx ~ # openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 732389.02k 806448.32k 822415.19k 826271.40k 832817.83k ## Disable AES-NI detection pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 213826.86k 224500.25k 227550.04k 229667.16k 229709.14k About a 3.5x improvement with AES-NI enabled, as is the default. If you are comparing with pfSense, try a more real-world test, testing more than just the AES-NI ... pbx ~ # openvpn --genkey --secret /tmp/secret pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc Sat Jan 26 09:39:25 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode real 0m11.413s BTW, I read the pfSense forums from time to time, and there is a lot of confusion loading the "aesni-intel" (FreeBSD name may be different) kernel module and using the "cryptodev" engine, as using the CPU's native AES-NI is faster, but often confusing in the pfSense configuration. Lonnie > On Jan 25, 2019, at 11:54 PM, authenti...@gmail.com wrote: > > Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a > Lanner FW-7525B. > > The reason I asked about enabling AES is because in Astlinux, openssl does > not show the AES engine: > > ================= > > pbx ~ # openssl engine -t -c > (rdrand) Intel RDRAND engine > [RAND] > [ available ] > (dynamic) Dynamic engine loading support > [ unavailable ] > pbx ~ # openssl speed -evp aes-128-cbc > Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in 2.99s > Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in 3.00s > Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in 2.99s > Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in 3.00s > Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in 2.99s > OpenSSL 1.0.2p 14 Aug 2018 > built on: reproducible build, date unspecified > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) > blowfish(idx) > compiler: > /var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc > -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os > -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k 302797.14k > > ================= > > Running pfSense on the same machine, openssl shows the AES engine, and gives > much faster numbers: > > ================= > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c > (cryptodev) BSD cryptodev engine > [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] > [ available ] > (rsax) RSAX engine support > [RSA] > [ available ] > (rdrand) Intel RDRAND engine > [RAND] > [ available ] > (dynamic) Dynamic engine loading support > [ unavailable ] > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp aes-128-cbc > Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s > Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s > Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in 0.30s > Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in 0.16s > Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in 0.03s > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > built on: date not available > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) > blowfish(idx) > compiler: clang > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k 23374594.05k > > ================= > > What am I overlooking here? Thank you. > > JT > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
