On Thu, Jan 10, 2013 at 10:18:44AM +0200, Pasi Kärkkäinen wrote: > On Thu, Jan 10, 2013 at 01:11:15AM +0100, Willy Tarreau wrote: > > On Thu, Jan 10, 2013 at 12:49:19AM +0100, Lukas Tribus wrote: > > > > > > > Interesting. Are these implementations still in use ? This seems more > > > > like early experimentations than definitive releases to me. I don't > > > > know if such versions were shipped in any LTS distro, so most likely > > > > they'll quickly disappear. Am I wrong ? > > > > > > Looks like you are correct. In openssl 1.0.1 there is no aesni engine > > > (needed) anymore. See: > > > [1] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1001424 > > > [2] http://cvs.openssl.org/chngview?cn=21519 > > > > Oh I'm certain about this one because this is the one we use in the > > Aloha and we achieve 5 Gbps of HTTPS per CPU core in AES256 :-) > > > > What I don't know is if the older versions are still in use nor for how > > long. > > > > EL6 has OpenSSL 1.0.0,
Interesting, maybe they backported the aes-ni work from 1.0.1 ? This can be tested with "openssl speed -evp aes128". Here on my machine (no aes-ni), you can see that performance is not huge : Doing aes-128-cbc for 3s on 16 size blocks: 14588298 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 64 size blocks: 6012712 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 1798955 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 1024 size blocks: 473059 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 59968 aes-128-cbc's in 2.98s ... The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 78326.43k 128271.19k 154541.10k 161470.81k 164851.63k With aes-ni enabled I'd get 4-10 times this. Running "openssl engine" will show the available engines : $ openssl engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support If you restart the test above adding "-engine XXX" (where XXX is the engine name), you'll see if you get different numbers (eg: -engine aesni). If the engine significantly improves performance, then we need to support it. If it does not, it means the base code has the aes-ni patches backported. > but dunno if a minor version difference has any change in behaviour. Yes it does, because I think it was merged in 1.0.1. Regards, Willy
