OpenSSL not loading full SafeXcel capabilities.

stephenw10 · Mar 17, 2025, 2:11 AM

Not yet. I was away this weekend.

JonathanLee · Mar 21, 2025, 9:41 PM

@stephenw10 I think it has to do with fstab use or .eli for swap, but even if I turned off .eli it still does not work.

JonathanLee · Mar 27, 2025, 1:52 PM

@stephenw10 Any word, if you need a copy of my config that is no problem.

JonathanLee · Apr 1, 2025, 9:55 PM

@stephenw10 I just wanted to follow up on this. I was able to get SafeXcel to increment with use of setting Squid proxy to use the sslengine as devcrypto. Don’t know if that helps

stephenw10 · Apr 1, 2025, 9:59 PM

Hmm, interesting so you see interrupts there but not when calling it via openssl-speed?

JonathanLee · Apr 2, 2025, 4:46 PM

@stephenw10 yes, I can see interrupts when using squid’s ssl engine directive when doing ssl intercept, but when the OpenVPN use it will not increment. I keep thinking it is because I use .Eli in the fstab file for the swap encryption, but if that was the case why does it increment when I use .Eli and squid’s ssl engine directive? Weird right ? And it does improve performance with the certificate stuff.

Squid custom option.
ssl_engine devcrypto

Gertjan · Apr 3, 2025, 8:19 AM

@JonathanLee said in OpenSSL not loading full SafeXcel capabilities.:

I can see interrupts when using squid’s ssl engine directive when doing ssl intercept, but when the OpenVPN use it will not increment.

Seems normal and understandable to me.
The OpenVPN app connects only to the OpenVPN server, and the connection is created if authentication worked out fine.
I don't see the MITM (pfSense) doing that : emulating and OpenVPN server authentication so it can intercept.

And its a waste of time trying to decrypt a OpenVPN stream, OpenVPN can't be 'MITMed', not with the hardware that exist in 2025.
Maybe the quantum pfSense version in the future ?

stephenw10 · Apr 3, 2025, 1:02 PM

No it's when using pfSense as an OpenVPN server or client with an encryption algorithm that safeXcel supports. Or at least should support.

Gertjan · Apr 3, 2025, 1:02 PM

@stephenw10

Ah, overlooked that.
I thought, while reading : an OpenVPN connection flowing through pfSense that does Squid stuff ...

JonathanLee · Apr 3, 2025, 8:54 PM

@Gertjan I am attempting to offload the encryption to the SafeXcel chip, I have had it running in the past with OpenVPN again I am also testing use of it with squid and my swap partition, but of those cause the interrupts to be incremented, but all the sudden OpenVPN will not use the SafeXcel chip anymore and it did with this version a couple months ago. Something is different as it should utilize it like it did in the past. I originally thought it could only be used by one component, that could be fstab file and use of .eli to encrypt the swap and or using it with squid for acceleration of ssl certificates, but they both work, all the sudden OpenVPN won’t increment the counters anymore. It’s weird because from what I am told OpenVPN should do this automatically, the new versions of software remove use of hardware crypto and OpenVPN but I can’t even run tests it acts like the chip does not load. That’s where it has confusion it should still see the counters increment in the system but it does not. It does drastically improve performance with the “ssl engine” directive in squid. Again not many people use .eli at the end of the swap config in fstab. So it’s kind of a trial and error thing. Goal faster vpn access to my private NAS.