From owner-freebsd-ports@FreeBSD.ORG Sun Jun 14 08:18:43 2015 Return-Path: Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0E3E02D8 for ; Sun, 14 Jun 2015 08:18:43 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E1145E5 for ; Sun, 14 Jun 2015 08:18:41 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.6/8.13.6) with ESMTP id t5E8H91F069018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Sun, 14 Jun 2015 18:17:15 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <557D3883.8030306@heuristicsystems.com.au> Date: Sun, 14 Jun 2015 18:17:07 +1000 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "freebsd-ports@freebsd.org" Subject: libressl vs openssl - surprises Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2015 08:18:43 -0000 Having read that PC-BSD are/have moved to using libressl in their base system, it was time to have a look. So I updated my ports tree, built in sequence openssl, tested and then built libressl and tested. Platform xeon 1230Lv3 (1.8GHz, 8 logical cores), FreeBSD 10.1 built fresh last night. Summary: openssl aes256 encrypt/decrypt 160MB file: 0.686157 secs (244509876 bytes/sec) libressl aes256 encrypt/decrypt 160MB file: 1.768195 secs (94883282 bytes/sec) openssl speed -evp aes-256-cbc: 74691.70k 288535.11k 876427.49k 5323319.66k 29095886.85k libressl, speed -evp aes-256-cbc: 95036.12k 103030.42k 104839.86k 105190.19k 105840.81k Please note that I added the following to each Makefile, immediately after CPE_VENDOR line CFLAGS+="-O3" I also have the options for openssl "sse2 shared threads". There are no options for libressl. As I use crypto/ssl extensively it seems that migrating to the libressl port will reduce the performance of dependent ports. Are others seeing similar performance? Does anyone have any suggestions for raising the performance of libressl? On the bright side, libressl includes ChaCha20-Poly1305 and other ciphers contrary to the openbsd man page. Refs: 1. http://blog.pcbsd.org/2015/03/a-look-at-the-upcoming-features-for-10-1-2/ 2. https://forums.freebsd.org/threads/replace-openssl-with-libressl.47203/ use of OPENSSL_PORT=security/libressl Detail: I ran the speed and encrypt/decrypt cycle three times for each and took the middle score from each for comparison. For reference dd if=/dev/zero bs=1m count=160 > /dev/null ; # 0.016084 secs (10431025952 bytes/sec) openssl ---------- dd if=/dev/zero bs=1m count=160 | openssl enc -e -aes-256-cbc -pass pass:p1 | openssl enc -aes-256-cbc -d -pass pass:p1 > /dev/null 160+0 records in 160+0 records out 167772160 bytes transferred in 0.686157 secs (244509876 bytes/sec) openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 1568234 aes-256-cbc's in 0.34s Doing aes-256-cbc for 3s on 64 size blocks: 1479306 aes-256-cbc's in 0.33s Doing aes-256-cbc for 3s on 256 size blocks: 1203590 aes-256-cbc's in 0.35s Doing aes-256-cbc for 3s on 1024 size blocks: 690433 aes-256-cbc's in 0.13s Doing aes-256-cbc for 3s on 8192 size blocks: 138740 aes-256-cbc's in 0.04s OpenSSL 1.0.2c 12 Jun 2015 built on: reproducible build, date unspecified options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: /usr/local/libexec/ccache/cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -Wall -O2 -pipe -g0 -ggdb0 -DSTRIP_FBSDID -O3 -march=core-avx-i -O3 -fno-strict-aliasing The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 74691.70k 288535.11k 876427.49k 5323319.66k 29095886.85k libressl --------- # dd if=/dev/zero bs=1m count=160 | openssl enc -e -aes-256-cbc -pass pass:p1 | openssl enc -aes-256-cbc -d -pass pass:p1 > /dev/null 160+0 records in 160+0 records out 167772160 bytes transferred in 1.768195 secs (94883282 bytes/sec) # openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 18097699 aes-256-cbc's in 3.05s Doing aes-256-cbc for 3s on 64 size blocks: 4829551 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 256 size blocks: 1241390 aes-256-cbc's in 3.03s Doing aes-256-cbc for 3s on 1024 size blocks: 310582 aes-256-cbc's in 3.02s Doing aes-256-cbc for 3s on 8192 size blocks: 38861 aes-256-cbc's in 3.01s LibreSSL 2.1.7 built on: date not available options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 95036.12k 103030.42k 104839.86k 105190.19k 105840.81k