Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1043972

Summary: 3.2.3. OpenSSL Intel AES-NI Engine is outdated
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: doc-Security_GuideAssignee: Bara Ancincova <bancinco>
Status: CLOSED CURRENTRELEASE QA Contact: Tomas Capek <tcapek>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: bancinco, ebenes, fweimer, hkario, msvoboda
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-21 11:31:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Vadkerti 2013-12-17 14:28:01 UTC 
Description of problem:
Test of AES-NI Engine is outdated. In current version of openssl the check for AES-NI engine is invalid, the engine won't be shown in the output.

According to the developer a proper check that AES-NI is working is:
1. to check if machine has AES instruction set, i.e.
grep -o aes /proc/cpuinfo
2. compare results of "openssl speed aes-128-cbc" vs "openssl speed -evp aes-128-cbc"
where the latter should be significantly better performing.

Please also note that the guide is incorrect in the example of openssl speed command without the -evp option. Without this option AES-NI engine is not used.

Version-Release number of selected component (if applicable):
current live @
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ch03s02s03.html
Comment 2 Miroslav Vadkerti 2014-07-25 10:10:57 UTC 
The reproduced is correct, I just tested in on an AES testing machine


# grep -m1 -o aes /proc/cpuinfo
aes

# openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 18693032 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 5052796 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1288608 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 323906 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 40555 aes-128 cbc's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Sep 27 10:09:12 EDT 2013
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      99696.17k   107792.98k   109961.22k   110559.91k   110742.19k


# openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 150084418 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 40934523 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 10510135 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2646815 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 330598 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Sep 27 10:09:12 EDT 2013
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     800450.23k   873269.82k   896864.85k   903446.19k   902752.94k
Comment 6 Bara Ancincova 2015-04-21 11:31:37 UTC 
The updated text is already on the Portal:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security_Guide/index.html#sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine

Closing this bug as CLOSED CURRENTRELEASE.