OpenVPN Padlock

From my understanding userland applications use cryptodev to access hardware crypto accelerators. Therefore I don't cared that the "openssl engine" command did not show the padlock engine (but cryptodev). Your dmesg output (the padlock0 detached messages) might appear because you kldload/kldunload the padlock.ko module multiple times?

I updated OpenSSL the following way (shame on me):
Code: 
cd /usr/ports/security/openssl
make PREFIX=/ install

The procedure might be or is completely wrong, my intention was just to replace the OpenSSL installation which comes with the base distribution. I did not want to have >>multiple<< OpenSSL versions on my box. I guess it's key to have the shared libs updated under /lib (not /usr/local/lib) so that OpenSSH (without recompiling?!) can use it.

As a test I booted a fresh 7.2-RELEASE, run the scp tests again (gave me 3MBytes/sec), after that I just copied the following libs from my other box (the ones after my dirty OpenSSL update):

Code: 
# ll /lib | grep crypto
-rw-r--r--  1 root  wheel  2380268  6 Okt 23:26 libcrypto.a
-r--r--r--  1 root  wheel  1536226  6 Okt 23:26 libcrypto.so.5

With that libs, scp suddenly gave me 4,5MBytes/sec. After a "kldload cryptodev" it was 10MBytes/sec and with top I could see that the CPU utilization moved from userspace to kernel space.

I would be happy if somebody could explain the canonical way to >>replace<< the OpenSSL version of the base distribution with a update from ports. Means avoid having multiple versions of OpenSSL.

On the other hand, I'm waiting for the release of 8.0, which should solve these problems.

cheers,
honk
 
Thanks for explaining the method you used to upgrade OpenSSL. I'm using 0.9.8k on both systems now. Using your method I was able to successfully increase my scp rate from 5.9 MB/s to 14.7 MB/s. When I look at the 'top' output I can clearly see that the CPU utilization has shifted from userspace to kernel space like you said and I can see scp and ssh appear and see that they're being used. When I run openssl speed tests pretty much the same is true except that I see the process 'openssl' show up and the CPU usage under 'system' is ~100%.

Unfortunately, none of this seems to have carried over to OpenVPN. OpenSSL now indicates that it supports the cryptodev and dynamic engines and so does OpenVPN, so I tell OpenVPN to use 'engine cryptodev' in my config files. When I copy files between samba shares on the servers through the VPN, I'm still not seeing any speed increase and when I look at 'top' while I'm transferring I'm not really seeing much of anything; no openssl/openvpn process ~100% CPU usage under 'system', pretty much nothing even indicates OpenVPN is even being used. The 'top' output indicates that 'user' and 'system' CPU usage are each ~1%.
 
Ok, another thing I've noticed that doesn't seem to be working is the sha1/sha256 acceleration. Here's the results of my test:

Code: 
# openssl speed -evp sha1 -engine cryptodev
engine "cryptodev" set.
To get the most accurate results, try to run this
program when this computer is idle.
Doing sha1 for 3s on 16 size blocks: 1477447 sha1's in 2.99s
Doing sha1 for 3s on 64 size blocks: 1066112 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 573495 sha1's in 2.99s
Doing sha1 for 3s on 1024 size blocks: 201385 sha1's in 2.99s
Doing sha1 for 3s on 8192 size blocks: 28559 sha1's in 2.99s
OpenSSL 0.9.8k 25 Mar 2009
built on: Fri Oct  9 09:25:41 EDT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -pthread -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-
frame-pointer -Wall -O2 -fno-strict-aliasing -pipe -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha1              7898.16k    22777.46k    49032.53k    68888.21k    78161.00k
Clearly not being accelerated. Could this be why OpenVPN isn't any faster? Any ideas on how to enable sha1/sha256 acceleration?
 
Thanks for the help guys, but I can't waste anymore time on this. As much as I hate to say it, I don't think FreeBSD is the right choice for this at the moment. I love FreeBSD, but it seems like Linux support for Padlock is more mature at this point so I'm switching to Debian.
 
You must log in or register to reply here.
Back
Top