4. OpenSSL/OpenVPN Performance - CBC and GCM ciphers

OpenSSL/OpenVPN Performance - CBC and GCM ciphers


  • We have had some fun comparing CPU OpenSSL performance in the snbforums.com site recently in the Router thread. I summarized the discussion in a blog post here https://x3mtek.com/openvpn-performance/.

    Likewise, @kvic also posted similar findings in his blog site at https://kazoo.ga/quick-benchmark-cbc-vs-gcm/.

    From the tests, GCM ciphers replace CBC as the go to cipher for OpenVPN speed and performance. Hopefully, your provider has already updated to OpenVPN 2.4 so you can take advantage of the improvements.

    0
  • B

    can you list providers that have moved to this cipher?

    i am still using CBC with no issues

    also this: https://www.netgate.com/blog/more-on-aes-ni.html

    "AES-GCM in particular has problems with side-channel attacks on pure software implementations. ChaCha20, which nicely avoids these issues when in software, isn’t an option. This is because: a) it’s not RFC-compliant, and b) there are currently no acceleration offloads for it, and the situation is that there could be thousands, or tens of thousands of pfSense instances hitting a single (clustered) instance of our cloud management platform."

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy