English Forums > Hardware and Performance

Openssl performance

<< < (2/3) > >>

framura:
Thanks both, @franco and @interfaSys, for your replies.

So, if I undestand correctly, OPNSense loads aesni.ko (if I set into settings preferences) but openssl (and openvpn) use /dev/crypto always (if device is present), also if I don't set it in openvpn configuration: when both aesni module and crypto device are present, openssl (and openvpn) slows down.

So, possible solutions (at this moment):

1) Build a custom kernel, like @interfaSys says
2) Switch to LibreSSL flavour: but LibreSSL uses AES-NI instructions? From a another thread, I understood LibreSSL is not able to use them (or am I wrong?)

Thanks again

P.S.: I found also this: https://calomel.org/aesni_ssl_performance.html

franco:
No, I think AES-NI is implemented in (envelope) assembler code directly in LibreSSL and OpenSSL. It does not need anything other than AES-NI instructions from the hardware, unless I don't understand how it works.

interfaSys:
@franco is correct. OpenSSL comes with its own implementation in its evp engine and it doesn't require any module to be loaded.

The only reason you'd want to load aesni.ko is if you have other kernel components which can use it to accelerate encryption. I was told IPsec uses it per example. But you don't need to load cryptodev as that's used as a bridge to give userland access to crypto accelerators kernel modules (if you have a PCI-X card per example).

OpenVPN uses OpenSSL's evp engine, but in my tests it shows zero gain in terms of speed when using cryptodev or not. It just spends more time in the kernel space if cryptodev is loaded.

And careful, crypto is not cryptodev ;). You need to load crypto, not cryptodev.

framura:
Just tried to use LibreSSL: I changed flavour in System:Settings:General but

if I run "openssl version" I get

OpenSSL 1.0.1p-freebsd 9 Jul 2015

and if I run "/usr/local/bin/openssl version" I get

OpenSSL 1.0.2g  1 Mar 2016

In franco's run I see "LibreSSL 2.2.6".

framura:
Sorry,

reply to myself: I changed ssl flavour but I did't realise I must also to update some packages.

Now I updated my system and finally I get LibreSSL 2.2.6: sorry, my mistake.

Now I will try openvpn performance and CPU usage.

Navigation

[0] Message Index

[#] Next page

[*] Previous page