Forum Discussion
John_Heyer_1508
Cirrostratus
CirrostratusCPU Increase when enabling AES-GCM
Supposedly AES-GCM should be the "best" cipher right now in terms of efficiency, however I noticed when enabling it on the F5, CPU goes up significantly. This is on a Viprion 2100 blade, 11.5.1 HF6. Anyone else seeing this?
I'm using "MEDIUM:!ADH:!RC4:@SPEED:RSA+3DES" for the cipher string. Adding a "!AES-GCM" to the line causes the CPU to immediately drop.
Brad_ParkerCirrus
Adding !SHA256 and !SHA384 will do the trick too. If SHA256 and SHA384 are an issue, that makes AES-GCM ciphers unusable until its fixed.
Nitass, are those published BugIDs? I can't find them on askf5.com.
- nitass
Employee
sorry i missed your post. no, it is not published (as of now) but you can open a support case and ask for bug information.
Kai_KatajaAltostratus
I could not wait anymore and had to find the TLS/SSL hardware used from article "SOL7778: BIG-IP hardware SSL and compression cards". Then search "Product Brief" for the specific chip to be sure if SHA-2 hardware acceleration is possible. Hopefully we get some answer from F5 to this SHA-2 CPU consumption issue.
John_Heyer_1508Looks like this did get fixed. We're on 11.6.1 HF2 now and I see no noticeable CPU increase with this cipher string, which should result in the vast majority of handshakes going SHA256 or SHA384
ECDHE+AES-GCM:ECDHE+AES:RSA+AES+SHA:RSA+3DESI'm thinking it may have been back in 11.6.0 HF5, which fixed this bug:
491030-6 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records