Differences
This shows you the differences between two versions of the page.
|
force-enable-openssl-aes-ni-usage [2018-12-11 06:15 UTC] rm |
force-enable-openssl-aes-ni-usage [2023-02-27 16:57 UTC] (current) rm |
||
|---|---|---|---|
| Line 11: | Line 11: | ||
| * https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/ | * https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/ | ||
| - | I believe the syntax used there applies "xor" over the real flag values, e.g. ''OPENSSL_ia32cap="~0x200000200000000"'' to disable AES. But what if you need to force-enable it. Turns out the syntax working for that is simply: | + | I believe the syntax used there applies "xor" over the real flag values, e.g. ''OPENSSL_ia32cap="~0x200000200000000"'' to disable AES. But what if you need to force-enable it? Turns out the syntax working for that is simply: |
| + | |||
| + | * ''OPENSSL_ia32cap="+0x200000200000000"'' | ||
| + | |||
| + | ===== 2023-02 update ===== | ||
| + | A reader of this article has sent in the following update: | ||
| + | |||
| + | "The ''OPENSSL_ia32cap="+0x200000200000000"'' environment variable no longer works on recent OpenSSL versions. The plus sign has to be removed. | ||
| + | |||
| + | In fact, it never worked as you probably had intended. OpenSSL only ever supported the tilde mark (~) to remove or mask some bits, and never the plus sign (to add or enable some feature bits). It happened to work in previous versions because they used strtoul() which supports '+' sign. The value after the plus sign overwrites the cpuid, not adds to it. However, they changed to a custom parser in commit https://github.com/openssl/openssl/commit/b86d57bb0b23253c720db38ab18ca97cb888f701 and thus '+' is no longer supported. | ||
| + | |||
| + | I am not sure about the full consequences of setting cpuid to 0x200000200000000, because it apparently removes the MMX, SSE(2) and many other very basic features, although AES-NI is indeed enabled. More recent OpenSSL versions (like 3.0) prints the full ia32cap value when running "openssl speed". Maybe it is a better idea to override it with a value taken from a realistic CPU model." | ||
| + | |||
| + | ===== Original text ===== | ||
| - | * <code>OPENSSL_ia32cap="+0x200000200000000"</code> | ||
| Let's take one VPS box with the aforementioned problem. | Let's take one VPS box with the aforementioned problem. | ||
| Line 65: | Line 77: | ||
| But how to apply that to Tor? Well, for some initial testing I just chose to add the following line to /etc/init.d/tor (not using systemd here), right after ''"#! /bin/bash"'': | But how to apply that to Tor? Well, for some initial testing I just chose to add the following line to /etc/init.d/tor (not using systemd here), right after ''"#! /bin/bash"'': | ||
| - | * <code>export OPENSSL_ia32cap="+0x200000200000000"</code> | + | * ''export OPENSSL_ia32cap="+0x200000200000000"'' |
| (but this will get overwritten and removed by the next Tor version upgrade). | (but this will get overwritten and removed by the next Tor version upgrade). | ||
force-enable-openssl-aes-ni-usage.1544508902.txt.gz · Last modified: 2018-12-11 06:15 UTC (external edit)
