Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.1 hifn driver doesn't work with AES 256 CBC

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 5 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vodolej
      last edited by

      Hi,

      unfortunately the old bug is not fixed yet and still exists in the 2.1
      https://redmine.pfsense.org/issues/754

      Is there any chance to get it fixed?

      Thanks for your answer

      1 Reply Last reply Reply Quote 0
      • H
        Honeybadger
        last edited by

        2nd the motion!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          It's a FreeBSD issue, which has a PR listed in the redmine ticket… http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120270

          If it gets fixed in FreeBSD, the fix will eventually make its way into pfSense.

          If you can reproduce the issue on a stock FreeBSD install on FreeBSD 9.x or 10.x, update that PR and nudge someone on the FreeBSD side to have a look.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • H
            Honeybadger
            last edited by

            Is this now just an Alix board issue and fixed on Soekris boards?

            Weird, I thought Alix were Soekris clones…

            Can anyone confirm this?

            1 Reply Last reply Reply Quote 0
            • V
              vodolej
              last edited by

              @jimp:

              It's a FreeBSD issue, which has a PR listed in the redmine ticket… http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120270

              If it gets fixed in FreeBSD, the fix will eventually make its way into pfSense.

              If you can reproduce the issue on a stock FreeBSD install on FreeBSD 9.x or 10.x, update that PR and nudge someone on the FreeBSD side to have a look.

              There is a patch available under Fix-Section on the freebsd-site:
              http://www.freebsd.org/cgi/query-pr.cgi?pr=kern%2F120270&getpatch=1

              Is it possible to compile pfSense with this patch?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @vodolej:

                There is a patch available under Fix-Section on the freebsd-site:
                http://www.freebsd.org/cgi/query-pr.cgi?pr=kern%2F120270&getpatch=1

                Is it possible to compile pfSense with this patch?

                If someone can reproduce the problem on a stock FreeBSD install with that card and then try with that fix and confirm it works, we can look into getting it into our builds.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • V
                  vodolej
                  last edited by

                  Jimp,

                  are there instructions available, how to test it on Alix board with / without patch?
                  I'm ready to do that, but don't know, how.

                  Alternatively I can lend you my Soekris card with the hifn 7955-chip for tests, now it is unused because of this issue.

                  1 Reply Last reply Reply Quote 0
                  • V
                    vodolej
                    last edited by

                    Will be any answer to the the question?
                    How the fix can be tested?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      @vodolej:

                      How the fix can be tested?

                      https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                      1 Reply Last reply Reply Quote 0
                      • V
                        vodolej
                        last edited by

                        @doktornotor:

                        @vodolej:

                        How the fix can be tested?

                        https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                        It is not the answer to my question. I have already an accelerator, but it doesn't work with AES256.

                        The question is:
                        How to test the FreeBSD/pfSense with the fix available on above mentioned link on Alix board?

                        I'm trying to push the process since months, but there is unfortunately no motion from pfSense-team.

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          Dunno, but both the PR link and the one I posted tell you HOW to test it using openssl… Not really sure what you are pushing where.  ::) Also, the entire PR appears irrelevant after rotting there for 6 years.

                          1 Reply Last reply Reply Quote 0
                          • V
                            vodolej
                            last edited by

                            @doktornotor:

                            Dunno, but both the PR link and the one I posted tell you HOW to test it using openssl… Not really sure what you are pushing where.  ::) Also, the entire PR appears irrelevant after rotting there for 6 years.

                            The link you posted shows only how to test openssl ciphers with / without hardware accelerators. When executing these tests I discovered the same problem like other users: the performance of some ciphers like i.e. AES256 is the same with and without accelerator. The accelerator is not used because of the bug in FreeBSD.

                            It is correct, that the issue is open already for 6 years. And it is still relevant. I'm wondering, why nobody takes care of it. I know users, who are still waiting for the fix and are now using another platforms because of this issue.

                            I'm asking not for general information, but for a tutorial:
                            How to integrate the compile FreeBSD with the fix and how to test pfSense on this platform.

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              With openssl 1.0.1(ef) used in 2.1/2.1.1 - which is what is actually used for OpenVPN, IPsec etc., the patch is irrelevant, as noted on the PR. Seriously cannot see how is that patch still relevant, but perhaps you have better ideas about openssl than its FreeBSD maintainer.

                              If things still do not work for you, afraid you need to start looking elsewhere for fixes, rather than trying to use 6+ years old patch for totally obsolete openssl version. An easy-enough test is to use stock FreeBSD 10 install instead of pfSense.

                              1 Reply Last reply Reply Quote 0
                              • V
                                vodolej
                                last edited by

                                ok, now I got you.

                                With my config (Alix-Board, soekres-accelerator) it seems not easy to install the stock FreeBSD. I found no installation images, only one tutorial.
                                It says: "On most Alix boards (all except the one that has Video card) the only way to configure FreeBSD (at least until you can access it via SSH) is through serial port. "

                                But I don't have any PC's with serial port.

                                Any ideas how to install FreeBSD on Alix?

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  There are USB->COM dongles available, if you search the forum, you'll definitely find out some tested working ones. Of course, installing FBSD on another machine and sticking the CF card into an Alix board after that could be another option. Can do anything else via SSH afterwards.

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    http://www.freebsdonline.com/content/view/589/506/

                                    Seems like the kind of thing we should try internally, however.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.