misc/155160: AES-NI breaks OpenSSL client calls
Hans Duedal
hd at onlinecity.dk
Tue Mar 1 15:20:08 UTC 2011
>Number: 155160
>Category: misc
>Synopsis: AES-NI breaks OpenSSL client calls
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 01 15:20:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Hans Duedal
>Release: 8.2
>Organization:
OnlineCity ApS
>Environment:
FreeBSD db3.gw.ocx.dk 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
When cryptodev and aesni(4) are enabled in FreeBSD 8.2, some clients using OpenSSL can't handshake with SSL servers.
Output of "openssl engine -c -t":
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
>From dmesg:
CPU: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2394.01-MHz K8-class CPU)
Origin = "GenuineIntel" Id = 0x206c2 Family = 6 Model = 2c Stepping = 2
Features=0xbfebfbff [shortened]
Features2=0x29ee3ff [shortened]
cryptosoft0: <software crypto> on motherboard
aesni0: <AES-CBC,AES-XTS> on motherboard
I followed this article to enable aes-ni: http://translate.google.com/translate?js=n&prev=_t&ie=UTF-8&layout=2&eotf=1&sl=ru&tl=en&u=http%3A%2F%2Fsysadminblog.ru%2Ffreebsd%2F2011%2F01%2F15%2Ffreebsd-aesni-openssl-openvpn.html&act=url
AES-NI gave a 2x performance boost for 1024 and 8192 byte blocks btw.
>How-To-Repeat:
1. Enable cryptodev and aes_ni by adding the following lines to /boot/loader.conf:
aesni_load="YES"
cryptodev_load="YES"
2. Reboot
3. Connect to an affected ssl host (most hosts excluding google):
curl -v "https://twitter.com/"
4. Error: "error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac"
>Fix:
Disable aes-ni.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list