RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

The new version of openssl shipped in RHEL 6.5 breaks aesni hardware accelleration.

There are two problems, firstly that the engine .so is missing (although I believe this is probably deliberate it should be documented as attempting to specify this engine now results in an error)

The second problem is that the accelleration isn't enabled in core.

This means that on a modern intel CPU, aes-128-cbc speed (as tested by openssl speed -evp aes-128-cbc) drops from around 691902.42k to 22027.95k (1024 keysize) between RHEL 6.4 and RHEL 6.5 - which obviously isn't acceptable.

Disabling the disable-aesni patch (patch number 67) fixes the problem, but as the patch looks like it's there to provide an optional (and disabled by default) way to turn off aesni at build time, it's unclear why this is.

Version-Release number of selected component (if applicable):

openssl-1.0.1e-15.el6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Start with RHEL 6.4.  Run openssl speed -evp aes-128-cbc
2. Update to RHEL 6.5
3. Run openssl speed -evp aes-128-cbc again

Actual results:

roughly 30x slowdown

Expected results:

no slowdown at all.

Additional info:

Apologies for the noise - this was actually caused by buggy power management on the test server that only showed up once updated.

It might be worth mentioning in the docs that the external engine for aesni has gone away, and that it no longer needs to be manually enabled, though.

We will document it in the errata text. Reassigning to release notes for further documentation consideration.

The following text has been added in the Technical Notes book as agreed with Tomas:

The external Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is no longer available in openssl; the engine is now built-in and therefore no longer needs to be manually enabled.

Closing; the book is available online:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Technical_Notes/index.html