On 10/27/2021 2:54 PM, Lukas Tribus wrote:
I'd be surprised if the OpenSSL API calls we are using doesn't support AES-NI.
Honestly that would surprise me too. But I have no idea how to find out
whether it's using the acceleration or not, and the limited (and
possibly incorrect) evidence I had suggested that maybe it was disabled
by default, so I wanted to ask the question. I have almost zero
knowledge about openssl API or code, so I can't discern the answer from
haproxy code.
Thanks for the improved commands for testing purposes.
On openssl 1.1.1 from ubuntu, first with acceleration disabled and then
with it enabled:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
aes-128-cbc 175183.68k 218351.02k 242778.28k 251637.42k
231298.39k 251587.24k
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
aes-128-cbc 302331.09k 443021.42k 475877.63k 486907.90k
487268.35k 489406.46k
The same with openssl 3.0.1-dev:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
AES-128-CBC 190766.02k 216849.62k 245917.61k 202468.01k
250989.23k 225902.59k
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
AES-128-CBC 348296.06k 404943.64k 480815.70k 485857.96k
423469.06k 480007.51k
That is great data, but doesn't tell me whether openssl uses
acceleration in haproxy.
---
Separate but indirectly related: I would like to know if there is a
timeline for when openssl 3.x will be supported by haproxy. The 2.4.7
version won't even compile against my local install of 3.0.1-dev. The
2.5-dev11 version compiles, but fails to link. I would imagine that
it's going to be a lot of work to support it.
Thanks,
Shawn
