New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL vs LibreSSL performance AES-NI #3551
Comments
Would you mind rerunning the test with the correct OpenSSL binary at /usr/local/bin/openssl ? |
On my device with Intel(R) Celeron(R) CPU 3865U @ 1.80GHz (2 cores) |
That's what I would expect as well, but then again the tests b @h-2 seem to be off. LibreSSL in -evp should be a bit slower than OpenSSL, but without -evp they should perform the same (much slower than -evp). |
OK, here are more complete logs, maybe that's helpful. Summary. Performance seems to be equal everywhere. I don't know where above's 200MB/s comes from. But it's still the problem that OpenVPN doesn't detect hardware accel when LibreSSL is chosen. OpenSSL flavour, base, no evp
OpenSSL flavour, base, evp
OpenSSL flavour, pkg, no-evp
OpenSSL flavour, pkg, evp
LibreSSL flavour, base , no evp
LibreSSL flavour, base , evp
LibreSSL flavour, pkg , no-evp
LibreSSL flavour, pkg , evp
|
In base there is no LibreSSL :)
LibreSSL does not have engine support since --err-- version 2.3 I think? But if you choose an AESNI cipher envelope acceleration (-evp) will automatically be used. The code is assembler code inside the crypto library so no need for external engine support in both cases. It might be that OpenVPN on OpenSSL with crypto engine is slower than without it.... Cheers, |
Yeah, I know. But, because you suggested by results were fishy, I wanted to make sure everything was ok.
So engine support is just about random numbers and not about ciphers?
Well, I don't really know what OpenVPN is doing, do you? I would need to setup some local benchmark because my outgoing connection isn't fast enough to measure a difference.... Or are there some local OpenVPN test benchmarks one can run? |
Engine hardware acceleration accelerates whatever the engine supports. I'm not sure if it (always) speeds up between engine and envelope or if there are drawbacks (i.e. the old cryptodev was slower in some scenarios). Best way forward is measuring OpenVPN performance, but that would entail testing between endpoints so maybe a test lab, but it also requires a more powerful peer so the benchmarks cap for the hardware to be tested. Maybe @mimugmail has some test results at hand from earlier or general lab setup tips. |
I only tested OpenVPN one time with OpenSSL compared to WireGuard, no tests with Libre at all. |
Thanks for that benchmark but did you tried plain ipsec or ipsec/l2tp? |
pretty sure this wasn't ipsec/l2tp |
I've always found that openvpn was a way better choice even for just raw performance, excluding the security aspect. |
We are talking about Site to Site, not client VPN. Plain IKEv2 road warrior should ne faster than OpenVPN |
Describe the bug
This is a follow-up to #2343.
When I choose the LibreSSL flavour, OpenVPN reports no hardware crypto. With OpenSSL flavour it does.
LibreSSL:
OpenVPN config,
Hardware Crypto
:No Hardware Crypto Acceleration
OpenSSL:
OpenVPN config,
Hardware Crypto
:Intel RDRAND engine - RAND
.The actual speed of libressl suggests that it does have hardware accel:
LibreSSL
/usr/local/bin/openssl speed aes-128-cbc
yields 125 MB/sLibreSSL
/usr/local/bin/openssl speed -evp aes-128-cbc
yields 572 MB/sOn the other hand OpenSSL seems to have regressed:
OpenSSL
/usr/bin/openssl speed aes-128-cbc
yields 125 MB/sOpenSSL
/usr/bin/openssl speed -evp aes-128-cbc
yields 206 MB/s(OpenSSL with -evp gave ~ 400 MB /s in #2343)
I am not too worried about the latter if we can fix the former, i.e. make OpenVPN use LibreSSL + hardware crypto.
Environment
Software version used and hardware type if relevant.
e.g.:
OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
LibreSSL 2.8.3
Intel(R) Celeron(R) CPU J3455 @ 1.50GHz (4 cores)
The text was updated successfully, but these errors were encountered: