AES-NI enable or disable

Question

I measured the performance of AES using following command before and after setting the kernel config CONFIG_CRYPTO_AES_NI_INTEL but the performance is very similar, i am not sure is it using AES-NI or not, i check the cpu is AES-NI capable and CPUID shows AES-NI enable,

# openssl s_time -connect myserver:443 -www /file.html -new -time 30 -cipher AES128-SHA
Collecting connection statistics for 30 seconds
2293 connections in 10.42s; 220.06 connections/user sec, bytes read
2404343494
2293 connections in 31 real seconds, 1048558 bytes read per connection

why enabling the config option CONFIG_CRYPTO_AES_NI_INTEL doesn't make any difference. please note i already had the

CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_X86_64=y 
CONFIG_CRYPTO_CRYPTD=y

in both the case

Answer 1

CPU's are simply very fast so you may indeed not notice much. In general native code will be so fast that it simply saturates the connection, leaving only the actual I/O timing and latency / encryption overhead (the SSL frames will still result in more bytes having to be send). Furthermore, the HMAC (a hash based message authentication code) over the plaintext will take about as much time as the encryption itself.

You may actually have about twice the performance compared to CPU only encryption for the AES calculations themselves. Of course you'd still be missing the enhanced protection against timing attacks, the fact that the ALU's don't get hammered and possibly some power advantages if you disable AES-NI.

Answer 2

add

-evp  

and change cipher

Hope it helps.