affects F18/F19 why does Fedora's openssl not list "aesni" compared to RHEL? the values below are showing it is in fact supported by both, on the other hand "SSLCryptoDevice aesni" for Apache does not work on Fedora and i am unsure if it is used automatically by default in that case in doubt this may waste factor 8 in performance on modern hardware http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcryptodevice ____________________________________________ cat /etc/redhat-release; openssl engine; cat /proc/cpuinfo | grep "model name" CentOS release 6.4 (Final) (aesni) Intel AES-NI engine (dynamic) Dynamic engine loading support model name : Intel(R) Xeon(R) CPU E5640 @ 2.67GHz openssl speed aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256 cbc 58003.13k 62866.47k 63308.37k 135122.94k 135858.86k openssl speed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 460493.45k 508006.53k 517264.90k 519457.45k 520594.75k ____________________________________________ cat /etc/redhat-release; openssl engine; cat /proc/cpuinfo | grep "model name" Fedora release 18 (Spherical Cow) (dynamic) Dynamic engine loading support model name : Intel(R) Xeon(R) CPU E5640 @ 2.67GHz openssl speed aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256 cbc 58347.04k 63168.39k 64110.99k 135981.36k 137257.23k openssl speed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 462203.14k 512258.69k 519790.56k 522836.19k 523612.23k
i found this changelog entry, but look below! * Wed Aug 24 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-8 - drop the separate engine for Intel acceleration improvements and merge in the AES-NI, SHA1, and RC4 optimizations - add support for OPENSSL_DISABLE_AES_NI environment variable that disables the AES-NI support _______________________________________________ two Apache benchmarks "ab -c 50 -n 20000" let me fear AES-NI is not used by httpd/openssl as default because without SSL the same call are 750 requests/second which means with encryption in both cases the same 475 less while AES-NI should boost by factor 5-8 /etc/sysconfig/httpd untouched: Requests per second: 274.38 [#/sec] (mean) Requests per second: 271.71 [#/sec] (mean) OPENSSL_DISABLE_AES_NI=1: Requests per second: 273.01 [#/sec] (mean) Requests per second: 273.90 [#/sec] (mean) _______________________________________________ http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcryptodevice Default: SSLCryptoDevice builtin the same values as above with SSLCryptoDevice dynamic
There is no OPENSSL_DISABLE_AES_NI support in Fedora packages anymore. The AES-NI support is from upstream.
thanks for feedback, that explains why i can't verify anything :-) but this still smells like it is not used automatically compared "openssl speed aes-256-cbc" and "openssl speed -evp aes-256-cbc" or does this really only affect the becnhmark and in normal operations it's used? Available options: -engine e use engine e, possibly a hardware device. -evp e use EVP e
No, the openssl call without the -evp calls directly the software implementation (no AES-NI). On the other hand all higher level applications including the TLS implementation call the EVP functions which automatically call the AES-NI accelerated implementation if available. Of course if 3rd party program uses the low level interface directly calling the AES software implementation, it will not be accelerated, but that did not change from the situation in RHEL-6. Basically the low level interfaces should not be used by 3rd party programs ever but unfortunately these were part of the OpenSSL API and ABI for a long time so we cannot make them hidden.
thank you so much helping understand how it works in details! my intention by bringing up such things is to make best use of the own hardware in production while at the same time if things could be optimized all other users and maybe future development may benefit