Hi,
On 17/01/17 07:20, Spon Spon wrote:
Hi,
I installed OpenSSL 1.0.2 having CRYPTODEV and AF_ALG compiled on an
ARM processor using kernel 3.10 that have a hardware crypto. I ran
openssl speed test using both cryptodev and af_alg successfully. in
/proc/interrupts I can see values increment for crypto driver.
(However the speed using hardware crypto is less than half comparing
to not using it but this is another story). Now I tried to use openvpn
2.3.14. I compiled it pointing to openssl 1.0.2 and tried to check
speed using command :
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu
20000 --cipher aes-256-cbc
The command above works fine (it does not use hardware crypto). But as
soon as I add engine cryptrodev or engine af_alg the command hang , in
proc/interrupts I can see increment only once, and from time to time
in dmesg I received errors : waiting to came back form encrypt
function timed out.
Even kill -9 does not have any result. The only way to kill the
process is to restart the computer.
The driver implemented only asynchronous encrypt and decrypt, and
maybe openvpn use only synchronous call, and this is maybe why the
command hang. But as I understand openvpn does encryption and
decryption through openssl. And openssl works just fine,
I could not use openssl, 1.1 on 3.10 kernel. Openssl compiles fine,
but openvpn not. So maximum openssl that can be used was 1.0.2
I checked using ldd and openvpn use correct openssl.
So what could be the problem here? Are there any ways to force openvpn
using asynchronous calls?
did you perform any other openssl tests other than "openssl speed" ?
Can you try testing the speed using e.g. openssl s_client? Example:
server process: openssl s_server -CAfile ca.crt -cert server.crt -key
server.key
client process: openssl s_client -connect localhost:4433 -CAfile
ca.crt -cert client1.crt -key client1.key --engine .....
where you need to add the right crypto engine parameters at the end.
(Use Ctrl+D to terminate the client)
If these openssl tests also crash then you know it's an issue in your
crypto engine, otherwise you'll need to debug OpenVPN itself.
NB: You cannot trust the results that "openssl speed" returns when using
the cryptodev engine.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
