On 10/28/21 10:02 AM, Lukas Tribus wrote:
You seem to be trying very hard to find a problem where there is none.
Definitely do NOT overwrite CPU flags in production. This is to *test*
AES acceleration, I put the link to the blog post in there for
context, not because I think you need to force this on.
I wouldn't call this production. It's the server in my basement. It
runs most of my personal websites. I do my experimentation there. I'm
OK with those experiments causing the occasional problem, because for
the most part I know how to fix it if I make a mistake.
If all the developers at the various levels (openssl, the openssl
maintainer for Debian/Ubuntu, and this fine group) did things right,
then there probably is not a problem. I started this thread because I
wanted to ask whether it works the way I hope it does, and at the time I
couldn't think of a way to test it.
The closest thing I have to production is my server in AWS. It runs my
email, and a few websites associated with email, like webmail. Just like
on the server in my basement, all the websites are behind haproxy. I
used to manage production systems running haproxy, but I no longer have
that job. On the email server or anything that's actually production, I
don't the sort of experiments we have been discussing.
I did just think of a way that I MIGHT be able to test. Time a simple
shell script using wget to hit a tiny static web page using https 10000
times. For that test, the run with haproxy started normally actually
took longer:
Starting normally:
real 15m3.545s
user 5m18.367s
sys 8m38.491s
Acceleration disabled:
real 10m49.436s
user 3m52.056s
sys 5m50.564s
That isn't what I expected at all. I can think of two different
explanations:
* Haproxy doesn't use openssl in a way that takes advantage of acceleration.
* The way I attempted to disable acceleration is not actually working.
I can try increasing the loop from 10000 times to a much larger number.
For the test with acceleration disabled, I manually started haproxy with
this command after making sure it wasn't running:
OPENSSL_ia32cap="~0x200000200000000" /usr/local/sbin/haproxy -Ws -f
/etc/haproxy/haproxy.cfg -p /run/haproxy.pid &
haproxy -vv output:
HAProxy version 2.4.7-b5e51a5 2021/10/04 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2
2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.7.html
Running on: Linux 5.11.0-38-generic #42~20.04.1-Ubuntu SMP Tue Sep 28
20:41:07 UTC 2021 x86_64
Build options :
TARGET = linux-glibc
CPU = native
CC = cc
CFLAGS = -O2 -march=native -g -Wall -Wextra
-Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered
-Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond
-Wnull-dereference
OPTIONS = USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT -PCRE2
+PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE
-STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT
+CRYPT_H +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB
-SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL
+SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT
-QUIC -PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=24).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2
flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI
flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
Thanks,
Shawn
