Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Mar 2011 15:16:28 GMT
From:      Hans Duedal <hd@onlinecity.dk>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/155160: AES-NI breaks OpenSSL client calls 
Message-ID:  <201103011516.p21FGS8p095246@red.freebsd.org>
Resent-Message-ID: <201103011520.p21FK8K5065116@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         155160
>Category:       misc
>Synopsis:       AES-NI breaks OpenSSL client calls
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 01 15:20:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Hans Duedal
>Release:        8.2
>Organization:
OnlineCity ApS
>Environment:
FreeBSD db3.gw.ocx.dk 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When cryptodev and aesni(4) are enabled in FreeBSD 8.2, some clients using OpenSSL can't handshake with SSL servers.

Output of "openssl engine -c -t":
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

>From dmesg:
CPU: Intel(R) Xeon(R) CPU           E5620  @ 2.40GHz (2394.01-MHz K8-class CPU)
  Origin = "GenuineIntel"  Id = 0x206c2  Family = 6  Model = 2c  Stepping = 2
  Features=0xbfebfbff [shortened]
  Features2=0x29ee3ff [shortened]
cryptosoft0: <software crypto> on motherboard
aesni0: <AES-CBC,AES-XTS> on motherboard

I followed this article to enable aes-ni: http://translate.google.com/translate?js=n&prev=_t&ie=UTF-8&layout=2&eotf=1&sl=ru&tl=en&u=http%3A%2F%2Fsysadminblog.ru%2Ffreebsd%2F2011%2F01%2F15%2Ffreebsd-aesni-openssl-openvpn.html&act=url

AES-NI gave a 2x performance boost for 1024 and 8192 byte blocks btw.
>How-To-Repeat:
1. Enable cryptodev and aes_ni by adding the following lines to /boot/loader.conf:
aesni_load="YES"
cryptodev_load="YES"
2. Reboot
3. Connect to an affected ssl host (most hosts excluding google): 
curl -v "https://twitter.com/"
4. Error: "error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac"
>Fix:
Disable aes-ni.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103011516.p21FGS8p095246>