On 6/5/16 2:17 PM, Roman Mamedov wrote:
On Sun, 5 Jun 2016 13:28:04 +0200 "Fabio Pietrosanti (naif) - lists" lists@infosecurity.ch wrote:
I had to install to get the hw acceleration library: Tor version 0.2.8.1-alpha (git-9093e3769746742f).
Which OS do you use?
In my experience I had to recompile OpenSSL with the Padlock patch: https://romanrm.net/openssl-padlock And then Tor would simply crash if such patched OpenSSL is installed and HardwareAccel is enabled in torrc. However I did not try the 0.2.8.1-alpha.
Yes, that's the way i've done the setup Tor+OpenSSL:
cd sudo DEBIAN_FRONTEND=noninteractive apt-get update sudo DEBIAN_FRONTEND=noninteractive apt-get --yes --force-yes install checkinstall build-essential sudo DEBIAN_FRONTEND=noninteractive apt-get --yes --force-yes build-dep openssl sudo rm -rf ~/openssl git clone https://github.com/openssl/openssl.git cd openssl sudo ./config sudo make sudo make test sudo checkinstall sudo rm -rf ~/openssl sudo mv /usr/bin/c_rehash /usr/bin/c_rehashBACKUP sudo mv /usr/bin/openssl /usr/bin/opensslBACKUP sudo ln -s /usr/local/ssl/bin/c_rehash /usr/bin/c_rehash sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl openssl version apt-cache show openssl root@dedi-fr-23644:~#
root@dedi-fr-23644:~# openssl version OpenSSL 1.1.0-pre3-dev xx XXX xxxx root@dedi-fr-23644:~# openssl engine padlock (padlock) VIA PadLock (no-RNG, ACE)
# Tor apt-get install libevent-dev wget https://www.torproject.org/dist/tor-0.2.8.1-alpha.tar.gz
cd tor-0.2.8.1-alpha
apt-get install zlib1g zlib1g-dev ./configure --with-openssl-dir=/usr/local/openssl --enable-static-openssl make make install
mv /usr/bin/tor /usr/bin/tor.orig ln -s /etc/tor/torrc /usr/local/etc/tor/torrc
# Edit /etc/tor/torrc and add HardwareAccel 1 AccelName padlock
/usr/local/bin/tor -f /etc/tor/torrc &
In /etc/tor/torrc: HardwareAccel 1 AccelName padlock
Do you get messages about successfully using 'padlock' in /var/log/tor/log?
Yes root@dedi-fr-23644:~# zgrep -i padlock /var/log/tor/log* /var/log/tor/log:Jun 05 16:58:27.000 [notice] Default OpenSSL engine for AES-128-ECB is VIA PadLock (no-RNG, ACE) [padlock]
I see with iptraf 60.000kbit/s peak with 30% uses of main CPU.
Do you mean 60 Mbit? If so, then that's a very good result for only 30% CPU.
It means that the padlock is doing it's job in making crypto acceleration.
I'm wondering if that small boxes are hitting a limit of the hardware acceleration or limit of the provider or Tor network itself.
Remember the Tor network won't instantly use 100% of your CPU or bandwidth capabilities, it will take time to ramp up to speed: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
There's a way to measure the uses of the hw acceleration given by the Via Padlock, if it's at 10% of it's capacity or 100% ?
There is no way, the only hint you have is the general CPU load.
That's the point, i want to measure how the padlock hw accel is performing, to understand if it does hit it's limits or not.
I think that we need to find a way