Optimised OpenSSL Library for ER-X

This article introduces an optimised build of OpenSSL 1.0.1te for EdgeRouter-X. It is tested in firmware v1.10 and shall work on models sharing the same ER-X platform. Note that this optimised library is not built for Cavium-based EdgeRouters and will not work on those models.

Also worth pointing out that OpenSSL release 1.0.1te is not official and you cannot find it in 1.0.1 branch releases. My guess is that Ubiquiti integrated release 1.0.1e in firmware and has gradually cherrypicked patches from the 1.0.1 branch up to release 1.0.1t. Hence, the "te" in 1.0.1te. The latest official release from OpenSSL is 1.0.1u. EdgeRouter are one step behind on the 1.0.1 branch. Not bad.

This optimised build is compiled from the source code of Ubiquiti GPL tarball as per firmware v1.10 release.

WARNING: If you don't follow the below instructions carefully, there is risk (though very rare) that you may lock yourself out of EdgeRouter-X. In the extremely rare case, a recovery option is made available by user communities. I haven't got the chance to try it.

Installation

Let's backup old library files and have an alternative way to login EdgerRouter-X.

Enable Telnet server

Telnet will save us if we mess up and get locked out of SSH. So make sure you have telnet enabled via GUI or CLI. Test and ensure it actually works before proceeding.

Backup old library files

$ sudo -i
$ mkdir -p /config/user-data/libssl-backup/engines
$ cd /config/user-data/libssl-backup
$ cp /usr/lib/mipsel-linux-gnu/openssl-1.0.0/engines/* engines
$ cp /usr/lib/mipsel-linux-gnu/libcrypto.so.1.0.0 . 
$ cp /usr/lib/mipsel-linux-gnu/libssl.so.1.0.0 . 

Install new library files

Do not disconnect your SSH session until you have passed sanity check.

$ cd /tmp
$ curl -O https://raw.githubusercontent.com/kvic-z/goodies-edgemax/master/libssl1.0.0_1.0.1te-2%2Bdeb7u21%2Bubnt1_mipsel.deb
$ dpkg -i /tmp/libssl1.0.0_1.0.1te-2+deb7u21+ubnt1_mipsel.deb

Sanity check after library update

Let's restart SSH server. No worry. Your current SSH session won't get disconnected.

$ service ssh restart

If SSH fails to restart, stop and restore old library files from backup.

Next, open a new terminal or launch a new session from your SSH client. SSH into your router. If SSH handshake fails, stop and restore the old files from backup.

Restart your router

Only reboot if you've passed the above sanity check.

Restore old library files

In case, you mess up or the new library simply does not work. Here are the steps to restore from backup.

$ cp /config/user-data/libssl-backup/engines/* /usr/lib/mipsel-linux-gnu/openssl-1.0.0/engines
$ cp /config/user-data/libssl-backup/* /usr/lib/mipsel-linux-gnu

Repeat the sanity check to confirm restore is successful.

Benchmark

Hooray! If you reach here, it means you've successfully installed the new library files. Now let's see the performance boost.

Ubiquiti stock OpenSSL library

# openssl speed test numbers

OpenSSL 1.0.1e 11 Feb 2013  
built on: Thu Jan 25 08:59:14 UTC 2018

type         16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
-------------------------------------------------------------------------- 
sha1          2888.03k     8336.02k    18344.58k    26060.46k    29659.94k  
sha256        2017.21k     4639.68k     8167.85k    10101.76k    10820.04k  
aes-128-cbc  11604.64k    12695.05k    13007.54k    12817.75k    13118.16k  
-------------------------------------------------------------------------- 
                  sign/s verify/s
rsa 1024 bits       54.9   1147.7  
rsa 2048 bits        9.0    343.0  
rsa 4096 bits        1.4     96.7  
dsa 1024 bits      115.4     96.1  
dsa 2048 bits       34.2     28.9

# openvpn throughput

aes-128-cbc 25.2Mbps  
aes-256-cbc 23.4Mbps  

This optimised OpenSSL build

# openssl speed test numbers

OpenSSL 1.0.1e 11 Feb 2013  
built on: Mon Feb 26 18:36:58 UTC 2018

type         16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  
-------------------------------------------------------------------------- 
sha1          3375.42k    10791.47k    26679.31k    41283.24k    51606.86k  
sha256        3182.77k     8147.95k    15476.05k    19808.83k    22353.24k  
aes-128-cbc  12459.23k    13650.56k    13869.23k    13889.54k    13991.94k  
-------------------------------------------------------------------------- 
sha1           +16.9%       +29.5%       +45.4%       +58.4%       +74.0%  
sha256         +57.8%       +75.6%       +89.5%       +96.1%        +107%  
aes-128-cbc    +7.36%       +7.53%       +6.62%       +8.36%       +6.66%  
-------------------------------------------------------------------------- 
                  sign/s verify/s
rsa 1024 bits       64.8   1311.4 | +18.0%  +14.3%  
rsa 2048 bits       10.5    393.2 | +16.7%  +14.6%  
rsa 4096 bits        1.6    109.8 | +14.3%  +13.5%  
dsa 1024 bits      134.8    112.9 | +16.8%  +17.5%  
dsa 2048 bits       40.0     34.0 | +17.0%  +17.6%

# openvpn throughput

aes-128-cbc 31.8Mbps (+26.2%)  
aes-256-cbc 28.9Mbps (+23.5%)  

SHA256 hash gains a phenomenal speed-up! For typical packet lengths, around double the performance. SHA1 hash also gets a significant boost. RSA/DSA receive non-trivial gains in sign/verify anywhere between 13.5% and 18%. OpenVPN 20+ per cent faster though in absolute terms throughput still falls far short of IPsec performance.

Programs that benefit from faster OpenSSL

SSH, OpenVPN and the GUI first come to mind. Below are the complete list in my setup. Some programs may have been left out from more exotic configurations.

charon   - strongSwan for IPsec key exchange  
ddclient - the dynamic DNS client  
monit    - keepalive for critical processes  
ntpd     - NTP daemon  
snmpd    - SNMP daemon  
sshd     - SSH server  
imi, nsm, ribd   - routing daemons  
lighttpd, python - the GUI service  

Enjoy the faster speed for free!

Author

Stephen Yip

Something about you know. Come and share.

comments powered by Disqus