pfSense Support Subscription

Author Topic: Unclear cryptographic practical use for OpenVPN  (Read 313 times)

0 Members and 1 Guest are viewing this topic.

Offline MarcoP

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Unclear cryptographic practical use for OpenVPN
« on: August 24, 2017, 05:36:20 am »
Hello, 

my mother language is not English and this is probably why the document seems erroneous to me.

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported


Quote
Practical Use - OpenVNP

To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

On the first paragraph it says to select cryptodev, but on the 3rd one says it has it's own code that works well without cryptodev.

O.T.:
I do have EAS-NI support and it is selected under Advanced - Miscellaneous config, but on my OpenVPN Server edit page I cannot select any crypt engine at all.
As I don't remember the prev Server config (I have xml backups, so I can find the answer) I thought to have a look at docs for any mistake on my side, or for issues cause by upgrading from 2.3.4-p1 to 2.4.0-RC (amd64).


Cheers
« Last Edit: August 24, 2017, 07:03:07 am by MarcoP »

Offline MarcoP

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Unclear cryptographic practical use for OpenVPN
« Reply #1 on: August 24, 2017, 07:29:05 am »
After some reading I understood that OpenSSL does have AES-NI built in and it will try to use it when available on chip, it doesn't need any kernel module to be loaded.

I believe the documentation should include the above info, and clarify possible scenarios on Advanced - Miscellaneous - Cryptographic Hardware settings, for example:

With AES-NI chip
When "none" or "AES-NI CPU": OpenVPN will use OpenSSL built-in AES-NI support.
When "BSD cryptodev": OpenVPN will use ASE-NI trough BSD Cryptodev.

... that is if I actually understood correctly.

Cheers
« Last Edit: August 24, 2017, 07:35:30 am by MarcoP »