On 10/28/21 12:31 AM, Lukas Tribus wrote:
You want evidence.
That would be preferred, yes.
Then get a raspberry pi, and run haproxy manually, fake the cpu flag
aes-ni and it should crash when using aes acceleration, because the
cpu doesn't support it.
https://romanrm.net/force-enable-openssl-aes-ni-usage
<https://romanrm.net/force-enable-openssl-aes-ni-usage>
That page seemed to indicate that if openssl detects the CPU flag, it
will use it, at least with Tor, the software being used by the author of
the article.
Does haproxy's use of openssl turn on the same option that the
commandline does with the -evp argument? If it does, then I think
everything is probably OK.
Something interesting to note: In the 3.0.1-dev version, the test I
started with (running without -evp and then again with -evp) doesn't
show a speed difference. So whatever -evp does is on by default in the
latest openssl. I'm very interested in seeing openssl 3 support in haproxy.
Thanks,
Shawn
