2.5.0 OpenVPN no AES-NI
-
I see on the dashboard Hardware Crypto is enabled and active but i can't choose it in the OpenVPN configuration.
Version: built on Sat Aug 08 01:03:06 EDT 2020
I thought this bug was solved or not?
Bug 9646If this is not fixed is there any timeframe this will be fixed.
Yes i know i'm running a dev version but i think this bug is grave.
openssl engine -t -c -pre DUMP_INFO (dynamic) Dynamic engine loading support [Failure]: DUMP_INFO 34370871296:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:/build/ce-crossbuild-master/sources/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:87: 34370871296:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/build/ce-crossbuild-master/sources/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:255: [ unavailable ]Ok looks like this is not working.
CPU has AES-NI features und it was working in the past on these servers (Dell R210 II )sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu' hw.machine: amd64 hw.model: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz hw.ncpu: 4 hw.machine_arch: amd64 dmesg -a | grep Features Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Features2=0x1fbae3ff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX>openssl engine -c -t (dynamic) Dynamic engine loading support [ unavailable ] -
Did you set AES-NI under System > Advanced, Misc. in the crypto module options?
-
Yes i tried both - AES-NI and BSD Cyptodev
-
Any messages in the system log about aesni? Check
/var/log/dmesg.bootspecifically.You should see a line like this:
Aug 10 10:37:45 pfSense kernel: aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboardIs it enabled in your BIOS?
-
Yes it is enabled in the BIOS as you see above the CPU does report the correct features
I only see the CPU features in the dmesg.boot.
-
Is
aesniloaded inkldstatoutput? -
kldstat Id Refs Address Size Name 1 19 0xffffffff80200000 38d7128 kernel 2 2 0xffffffff83ad9000 a448 opensolaris.ko 3 1 0xffffffff83ae4000 3ba750 zfs.ko 4 1 0xffffffff8423d000 1000 cpuctl.ko 5 1 0xffffffff8423e000 8c90 aesni.ko 6 1 0xffffffff84247000 37e8 cryptodev.ko -
This post is deleted! -
I have reported this issue before.
-
OK so there is an patch for ssl but this patch is causing problems as i read.
OpenSSL was patched in 2018 but this bug exists in pfsense in 2020? Or is there another bug which is causing this?
-
In 2.4.* it is also not showing and, as far as I remember, never was (Hyper-V), so I hope it is working automagically.
-
AES-NI will never show on the OpenVPN page. OpenVPN/OpenSSL will detect and use AES-NI automatically.
The only place you can pick AES-NI from a list is under System > Advanced on the Misc tab to tell the system whether or not to load the kernel module. Primarily that will affect IPsec, not OpenVPN.
-
Thank you for the clarification.
But why is there the option if it will be NEVER shown in the OpenVPN configuration?
-
Those are two completely different sets of crypto controls. One for the operating system in general, and one specifically for OpenVPN. There are many more uses for crypto on pfSense than OpenVPN.
AES-NI never shows in OpenVPN because it isn't a relevant option. It is not considered a crypto "engine" to OpenVPN or OpenSSL, because it uses it automatically. Some devices have to be selected manually.
