Re: Does haproxy utlize openssl with AES-NI if present?

Wed, 27 Oct 2021 16:01:53 -0700 

On 10/27/21 5:47 PM, Shawn Heisey wrote:

On 10/27/2021 2:54 PM, Lukas Tribus wrote:

I'd be surprised if the OpenSSL API calls we are using doesn't support AES-NI.



Honestly that would surprise me too.  But I have no idea how to find out whether 
it's using the acceleration or not, and the limited (and possibly incorrect) 
evidence I had suggested that maybe it was disabled by default, so I wanted to 
ask the question.  I have almost zero knowledge about openssl API or code, so I 
can't discern the answer from haproxy code.



openssl uses AES-NI acceleration if present and enabled (which it should be). 
Since most all Intel nowadays has it, you can actually see the difference when 
using something like ssh for xfers using a cipher like [email protected] 
(the perf difference is very noticable).



I mean, my experience is limited to using openSSH, but would think it would be 
applicable elsewhere.




Thanks for the improved commands for testing purposes.


On openssl 1.1.1 from ubuntu, first with acceleration disabled and then with it 
enabled:



type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
16384 bytes
aes-128-cbc     175183.68k   218351.02k   242778.28k   251637.42k 231298.39k   
251587.24k



type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
16384 bytes
aes-128-cbc     302331.09k   443021.42k   475877.63k   486907.90k 487268.35k   
489406.46k



The same with openssl 3.0.1-dev:


type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
16384 bytes
AES-128-CBC     190766.02k   216849.62k   245917.61k   202468.01k 250989.23k   
225902.59k



type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
16384 bytes
AES-128-CBC     348296.06k   404943.64k   480815.70k   485857.96k 423469.06k   
480007.51k



That is great data, but doesn't tell me whether openssl uses acceleration in 
haproxy.


---


Separate but indirectly related:  I would like to know if there is a timeline 
for when openssl 3.x will be supported by haproxy.  The 2.4.7 version won't even 
compile against my local install of 3.0.1-dev.  The 2.5-dev11 version compiles, 
but fails to link.  I would imagine that it's going to be a lot of work to 
support it.


Thanks,
Shawn




























					Reply via email to