Date: Tue, 1 Mar 2011 15:16:28 GMT From: Hans Duedal <hd@onlinecity.dk> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/155160: AES-NI breaks OpenSSL client calls Message-ID: <201103011516.p21FGS8p095246@red.freebsd.org> Resent-Message-ID: <201103011520.p21FK8K5065116@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 155160 >Category: misc >Synopsis: AES-NI breaks OpenSSL client calls >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 01 15:20:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Hans Duedal >Release: 8.2 >Organization: OnlineCity ApS >Environment: FreeBSD db3.gw.ocx.dk 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: When cryptodev and aesni(4) are enabled in FreeBSD 8.2, some clients using OpenSSL can't handshake with SSL servers. Output of "openssl engine -c -t": (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] >From dmesg: CPU: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2394.01-MHz K8-class CPU) Origin = "GenuineIntel" Id = 0x206c2 Family = 6 Model = 2c Stepping = 2 Features=0xbfebfbff [shortened] Features2=0x29ee3ff [shortened] cryptosoft0: <software crypto> on motherboard aesni0: <AES-CBC,AES-XTS> on motherboard I followed this article to enable aes-ni: http://translate.google.com/translate?js=n&prev=_t&ie=UTF-8&layout=2&eotf=1&sl=ru&tl=en&u=http%3A%2F%2Fsysadminblog.ru%2Ffreebsd%2F2011%2F01%2F15%2Ffreebsd-aesni-openssl-openvpn.html&act=url AES-NI gave a 2x performance boost for 1024 and 8192 byte blocks btw. >How-To-Repeat: 1. Enable cryptodev and aes_ni by adding the following lines to /boot/loader.conf: aesni_load="YES" cryptodev_load="YES" 2. Reboot 3. Connect to an affected ssl host (most hosts excluding google): curl -v "https://twitter.com/" 4. Error: "error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac" >Fix: Disable aes-ni. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103011516.p21FGS8p095246>