On Thu, 28 Oct 2021 at 15:49, Shawn Heisey <elyog...@elyograg.org> wrote: > > On 10/28/21 7:34 AM, Shawn Heisey wrote: > > Does haproxy's use of openssl turn on the same option that the > > commandline does with the -evp argument? If it does, then I think > > everything is probably OK. > > > Running "grep -r EVP ." in the haproxy source tree turns up a lot of > hits in the TLS/SSL code. So I think that haproxy is most likely using > EVP, and since I am running haproxy on bare metal and not in a VM (which > might mask the aes CPU flag), it probably is using acceleration. Just > in case, I did add the openssl bitmap environment variable (the one with > + instead of ~) to my haproxy systemd unit.
You seem to be trying very hard to find a problem where there is none. Definitely do NOT overwrite CPU flags in production. This is to *test* AES acceleration, I put the link to the blog post in there for context, not because I think you need to force this on. You cannot compare command line arguments of an openssl tool with openssl library API calls, those are two different things. If this keeps you up at night, I'd suggest you ask on the openssl-users mailing list for clarification, or set brakepoints in gdb and debug openssl when running from haproxy, or find a platform where you have both a CPU with and without aesni support, and compile openssl and haproxy with aesni and then move the executable over. It will be a waste of your time though. Lukas
