Openssl speed tests results



  • Hi guys

    I have a supermicro C2758 mini ITX board running pfsense 2.3.2. I was curious about its openssl performance and ran some tests. I have also tried to run the Synology DSM 6.0.2 on it as well (xpenology). here are the results:

    The command I used are (in order):

    without cryptochip: openssl speed aes-256-cbc
    with cryptochip: openssl speed -elapsed -evp aes-256-cbc
    without cryptochip: env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm
    with cryptochip: openssl speed -elapsed -evp aes-256-gcm

    pfsense

    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes

    aes-256 cbc      30009.29k    32872.73k    34107.56k    88327.51k    89552.21k
    aes-256-cbc      5093.88k    19207.19k    64474.37k  153268.57k  250006.19k
    aes-256-gcm      23096.27k    26460.12k    27718.91k    28018.75k    28161.37k
    aes-256-gcm    110406.57k  187576.15k  236987.26k  256166.23k  260928.85k

    DSM6
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes

    aes-256 cbc      28385.84k    30940.80k    31830.75k    88723.11k    89967.27k
    aes-256-cbc    167312.87k  239838.31k  281869.82k  294749.18k  298554.71k
    aes-256-gcm      22487.40k    25803.63k    26825.13k    27110.40k    27235.67k
    aes-256-gcm    107303.03k  203501.85k  271777.62k  299456.51k  307303.77k

    the DSM has a better performance. DSM uses a different version of openssl. Is this what makes the performance difference? Here is detail of the DSM output:

    OpenSSL 1.0.2h-fips  3 May 2016
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: /usr/local/x86_64-pc-linux-gnu/bin/x86_64-pc-linux-gnu-ccache-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,–noexecstack -DSYNOPLAT_F_X86_64 -DSYNO_BROMOLOW -DSYNO_SAS -O2 -DBUILD_ARCH=64 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DSYNO_PLATFORM=BROMOLOW -DSYNO_RUNNING_DSM_BUILD_SYSTEM -g -pipe -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -O2 -Wno-unused-result  -Wl,-z,relro -Wl,--as-needed -Wl,--no-undefined -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/x86_64-pc-linux-gnu/x86_64-pc-linux-gnu/sys-root/usr//include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM


  • Moderator

    Maybe even because Synology/DSM is running Linux not BSD?



  • tigs,  can you add the results of:

    openssl speed -evp aes-256-cbc
    


  • @aesguy:

    tigs,  can you add the results of:

    openssl speed -evp aes-256-cbc
    

    What do these result mean in real life? Does this mean a linux based firewall will perform better? Is the lower performance with pfsense due to limitation of freeBSD or optimization of freeBSD/pfsense? Can this be improved or optimized?

    I have also tested this board with ipfire, which is also linux based with newer openssl, its performance is exactly the same as synology DSM, better than pfsense.

    Thanks.

    I was told that specific test you mentioned does not make much sense. I have already reverted to pfsense, a therefore, I can only test pfsense later.

    The above answer was meant to ask the person above your post. I am on a cell phone, inaccurate.

    [2.3.2-RELEASE][admin@pfSense.localdomain]/root: openssl speed -evp aes-256-cbc
    Doing aes-256-cbc for 3s on 16 size blocks: 934150 aes-256-cbc's in 0.31s
    Doing aes-256-cbc for 3s on 64 size blocks: 917102 aes-256-cbc's in 0.29s
    Doing aes-256-cbc for 3s on 256 size blocks: 760390 aes-256-cbc's in 0.32s
    Doing aes-256-cbc for 3s on 1024 size blocks: 451081 aes-256-cbc's in 0.18s
    Doing aes-256-cbc for 3s on 8192 size blocks: 92679 aes-256-cbc's in 0.05s
    OpenSSL 1.0.1s-freebsd  1 Mar 2016
    built on: date not available
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc      47828.48k   203051.34k   607718.52k  2570612.56k 13882996.44k
    
    

  • Rebel Alliance Developer Netgate

    @tigs:

    What do these result mean in real life?

    Nothing because you need -elapsed on there for it to tell you anything meaningful in a real-world context.