2.5.0 OpenVPN no AES-NI
-
Did you set AES-NI under System > Advanced, Misc. in the crypto module options?
-
Yes i tried both - AES-NI and BSD Cyptodev
-
Any messages in the system log about aesni? Check
/var/log/dmesg.bootspecifically.You should see a line like this:
Aug 10 10:37:45 pfSense kernel: aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboardIs it enabled in your BIOS?
-
Yes it is enabled in the BIOS as you see above the CPU does report the correct features
I only see the CPU features in the dmesg.boot.
-
Is
aesniloaded inkldstatoutput? -
kldstat Id Refs Address Size Name 1 19 0xffffffff80200000 38d7128 kernel 2 2 0xffffffff83ad9000 a448 opensolaris.ko 3 1 0xffffffff83ae4000 3ba750 zfs.ko 4 1 0xffffffff8423d000 1000 cpuctl.ko 5 1 0xffffffff8423e000 8c90 aesni.ko 6 1 0xffffffff84247000 37e8 cryptodev.ko -
This post is deleted! -
I have reported this issue before.
-
OK so there is an patch for ssl but this patch is causing problems as i read.
OpenSSL was patched in 2018 but this bug exists in pfsense in 2020? Or is there another bug which is causing this?
-
In 2.4.* it is also not showing and, as far as I remember, never was (Hyper-V), so I hope it is working automagically.
-
AES-NI will never show on the OpenVPN page. OpenVPN/OpenSSL will detect and use AES-NI automatically.
The only place you can pick AES-NI from a list is under System > Advanced on the Misc tab to tell the system whether or not to load the kernel module. Primarily that will affect IPsec, not OpenVPN.
-
Thank you for the clarification.
But why is there the option if it will be NEVER shown in the OpenVPN configuration?
-
Those are two completely different sets of crypto controls. One for the operating system in general, and one specifically for OpenVPN. There are many more uses for crypto on pfSense than OpenVPN.
AES-NI never shows in OpenVPN because it isn't a relevant option. It is not considered a crypto "engine" to OpenVPN or OpenSSL, because it uses it automatically. Some devices have to be selected manually.
