English Forums > Hardware and Performance
Openssl performance
framura:
Hi,
I tried to verify openssl performance on my OPNSense machine (4 vCPUs on ESXi 6): I compared these results with those obtained on a Ubuntu 15 server machine (2 vCPUs on same host).
I run this command on Ubuntu and OPNSense:
openssl speed -evp aes-128-cbc
and on OPNSense also
openssl speed -evp aes-128-cbc -engine cryptodev
Output obtained shows me no difference between these two commands on OPNSense and a huge difference with Ubuntu:
OPNSense (no cryptodev)
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 46929.27k 165008.10k 662520.67k 3014012.56k 30838620.16k
OPNSEnse (cryptodev)
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 45672.01k 183696.55k 576098.68k 2877417.92k 20640869.03k
Ubuntu 15
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 209778.60k 321537.47k 386955.43k 406307.21k 413696.00k
Do you have any idea?
Thanks
franco:
Can you rerun these with the following binary? Due to the way FreeBSD is built we have two versions and the console defaults to the wrong one...
# /usr/local/bin/openssl
franco:
Here's my dump with base OpenSSL:
--- Code: ---root@sensey:~ # openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 620655 aes-128-cbc's in 0.42s
Doing aes-128-cbc for 3s on 64 size blocks: 605377 aes-128-cbc's in 0.33s
Doing aes-128-cbc for 3s on 256 size blocks: 551208 aes-128-cbc's in 0.37s
Doing aes-128-cbc for 3s on 1024 size blocks: 405373 aes-128-cbc's in 0.22s
Doing aes-128-cbc for 3s on 8192 size blocks: 120284 aes-128-cbc's in 0.07s
OpenSSL 1.0.1p-freebsd 9 Jul 2015
built on: date not available
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 23538.92k 118077.34k 384297.53k 1897608.92k 14014101.73k
--- End code ---
And this is LibreSSL (the OpenSSL flavour should be equivalent in numbers), which is used by our code:
--- Code: ---root@sensey:~ # /usr/local/bin/openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 42196792 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 15461014 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 4929140 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1316453 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 167027 aes-128-cbc's in 3.00s
LibreSSL 2.2.6
built on: date not available
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: information not available
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 225637.15k 329834.97k 420619.95k 449349.29k 456095.06k
--- End code ---
interfaSys:
@franco - It's interesting it seems LibreSSL is not using cryptodev, which is a good thing.
@framura - If you want the best openSSL performance, you need to build a custom kernel and remove cryptodev from https://github.com/opnsense/tools/blob/master/config/16.1/SMP. See https://github.com/opnsense/tools/issues/26 for more details.
Also, when posting results, paste the whole thing. In Franco's test using base OpenSSL, we can see that the test is not accurate as it doesn't run for 3s. Looking at your numbers, I expect the same, because they're unrealistic. You don't encrypt at 30GB/s. The numbers on Ubuntu are correct. Add "-elapsed" to the command line if you want the real numbers on OPNsense with cryptodev loaded.
Also, you don't need to add "-engine cryptodev", evp is already using cryptodev if present and that's what's slowing thing down.
franco:
Yes, cryptodev engine support was kicked from LibreSSL very early on. :)
Navigation
[0] Message Index
[#] Next page
Go to full version