On 18. 12. 6., John Nielsen wrote: >> On Dec 6, 2018, at 4:04 PM, Xin LI <delp...@gmail.com> wrote: >> >> On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <li...@jnielsen.net> wrote: >>> >>> I have upgraded two physical machines from 11-STABLE to 12-STABLE recently >>> (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r341391). >>> I noticed today that neither machine seems to be utilizing /dev/crypto. >>> Typically I see at least ssh/sshd have the device open plus some programs >>> from ports. But 'fuser' doesn't list any processes on either machine: >>> >>> # fuser /dev/crypto >>> /dev/crypto: >>> >>> Both machines are running custom kernels that include "device crypto" and >>> "device cryptodev". One of them additionally has "device aesni". >>> >>> Is anyone else seeing this? Any idea what would cause it? >> >> Your average OpenSSL applications should not use /dev/crypto, if your >> goal is to utilize AES-NI (which does not require /dev/crypto). On >> capable systems, AES-NI would be used automatically (and it's faster >> this way). > > Thanks for the response. Is there a way to verify that AES-NI is being used > for e.g. ssh? > I'm also curious why/when/how the change to not use (or support?) /dev/crypto > from base > openssl was made.
OpenSSL 1.1.1 removed the old cryptodev: https://svnweb.freebsd.org/base/vendor-crypto/openssl/dist/CHANGES?revision=340690&view=markup#l400 Instead, OpenSSL added devcrypto engine for Linux: https://github.com/openssl/openssl/commit/619eb33 and added BSD support: https://github.com/openssl/openssl/commit/4f79aff then, completely removed BSD-specific cryptodev: https://github.com/openssl/openssl/commit/f39a550 However, it is disabled by default. Theoretically, it is functionally equivalent but it wasn't tested much. I can enable the new engine on head if many users request it. Jung-uk Kim
signature.asc
Description: OpenPGP digital signature
