From owner-freebsd-bugs@FreeBSD.ORG Tue Mar 1 15:20:08 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 983E1106566C for ; Tue, 1 Mar 2011 15:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 55D288FC15 for ; Tue, 1 Mar 2011 15:20:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p21FK8mC065117 for ; Tue, 1 Mar 2011 15:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p21FK8K5065116; Tue, 1 Mar 2011 15:20:08 GMT (envelope-from gnats) Resent-Date: Tue, 1 Mar 2011 15:20:08 GMT Resent-Message-Id: <201103011520.p21FK8K5065116@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Hans Duedal Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C2291065676 for ; Tue, 1 Mar 2011 15:16:29 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4748FC2D for ; Tue, 1 Mar 2011 15:16:29 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p21FGSnG095247 for ; Tue, 1 Mar 2011 15:16:28 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p21FGS8p095246; Tue, 1 Mar 2011 15:16:28 GMT (envelope-from nobody) Message-Id: <201103011516.p21FGS8p095246@red.freebsd.org> Date: Tue, 1 Mar 2011 15:16:28 GMT From: Hans Duedal To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/155160: AES-NI breaks OpenSSL client calls X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 15:20:08 -0000 >Number: 155160 >Category: misc >Synopsis: AES-NI breaks OpenSSL client calls >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 01 15:20:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Hans Duedal >Release: 8.2 >Organization: OnlineCity ApS >Environment: FreeBSD db3.gw.ocx.dk 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: When cryptodev and aesni(4) are enabled in FreeBSD 8.2, some clients using OpenSSL can't handshake with SSL servers. Output of "openssl engine -c -t": (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] >From dmesg: CPU: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2394.01-MHz K8-class CPU) Origin = "GenuineIntel" Id = 0x206c2 Family = 6 Model = 2c Stepping = 2 Features=0xbfebfbff [shortened] Features2=0x29ee3ff [shortened] cryptosoft0: on motherboard aesni0: on motherboard I followed this article to enable aes-ni: http://translate.google.com/translate?js=n&prev=_t&ie=UTF-8&layout=2&eotf=1&sl=ru&tl=en&u=http%3A%2F%2Fsysadminblog.ru%2Ffreebsd%2F2011%2F01%2F15%2Ffreebsd-aesni-openssl-openvpn.html&act=url AES-NI gave a 2x performance boost for 1024 and 8192 byte blocks btw. >How-To-Repeat: 1. Enable cryptodev and aes_ni by adding the following lines to /boot/loader.conf: aesni_load="YES" cryptodev_load="YES" 2. Reboot 3. Connect to an affected ssl host (most hosts excluding google): curl -v "https://twitter.com/" 4. Error: "error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac" >Fix: Disable aes-ni. >Release-Note: >Audit-Trail: >Unformatted: