On Thu, 28 Oct 2021 at 08:31, Lukas Tribus <[email protected]> wrote: > > Hi, > > On Thursday, 28 October 2021, Shawn Heisey <[email protected]> wrote: >> >> On 10/27/2021 2:54 PM, Lukas Tribus wrote: >>> >>> I'd be surprised if the OpenSSL API calls we are using doesn't support >>> AES-NI. >> >> >> Honestly that would surprise me too. But I have no idea how to find out >> whether it's using the acceleration or not, and the limited (and possibly >> incorrect) evidence I had suggested that maybe it was disabled by default, >> so I wanted to ask the question. I have almost zero knowledge about openssl >> API or code, so I can't discern the answer from haproxy code. > > > > You want evidence. > > Then get a raspberry pi, and run haproxy manually, fake the cpu > flag aes-ni and it should crash when using aes acceleration, > because the cpu doesn't support it.
For some reason, openssl itself doesn't crash on my raspberry pi: OPENSSL_ia32cap="+0x200000200000000" openssl speed -elapsed -evp aes-128-gcm Most likely openssl is compiled without aes-ni support here, so the test doesn't work. Lukas
