What I have investigated may be helpful for you. There is an article from intel : https://software.intel.com/sites/default/files/open-ssl-performance-paper.pdf
They use apache to test and they said they did not tune any configuration of apache.
I think for Nginx is same.
I use gdb to trace back and here is my result :
(gdb) bt
#0 0x00000000004dcd50 in aesni_init_key ()
#1 0x00000000004d8dff in EVP_CipherInit_ex ()
#2 0x0000000000494c5a in ssl3_send_newsession_ticket ()
#3 0x00000000004997e8 in ssl3_accept ()
#4 0x00000000004281af in ngx_ssl_handshake (c=0x7ffff7fad1c0) at src/event/ngx_event_openssl.c:996
#5 0x0000000000428571 in ngx_ssl_handshake_handler (ev=0x8c3770) at src/event/ngx_event_openssl.c:1144
#6 0x0000000000424467 in ngx_epoll_process_events (cycle=0x89b9d0, timer=<value optimized out>, flags=<value optimized out>)
at src/event/modules/ngx_epoll_module.c:691
#7 0x000000000041bd43 in ngx_process_events_and_timers (cycle=0x89b9d0) at src/event/ngx_event.c:248
#8 0x0000000000421de8 in ngx_single_process_cycle (cycle=0x89b9d0) at src/os/unix/ngx_process_cycle.c:315
#9 0x000000000040519c in main (argc=<value optimized out>, argv=<value optimized out>) at src/core/nginx.c:404
EVP_CipherInit_ex uses ctx->cipher->init(ctx,key,iv,enc) to start aesni_init_key (). The details defined at openssl/crypto/evp/e_aes.c
#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
static const EVP_CIPHER aesni_##keylen##_##mode = { \
nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
flags|EVP_CIPH_##MODE##_MODE, \
aesni_init_key, \
aesni_##mode##_cipher, \
NULL, \
sizeof(EVP_AES_KEY), \
NULL,NULL,NULL,NULL }; \
static const EVP_CIPHER aes_##keylen##_##mode = { \
nid##_##keylen##_##nmode,blocksize, \
keylen/8,ivlen, \
flags|EVP_CIPH_##MODE##_MODE, \
aes_init_key, \
aes_##mode##_cipher, \
NULL, \
sizeof(EVP_AES_KEY), \
NULL,NULL,NULL,NULL }; \
const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
AESNI_CAPABLE determines which function enable, aes_init_key or aes_init_key. This is completed at compilation.
Further detail you can find here .
If your openssl evp interface enabled AESNI, Nginx also uses that.
So for your case, I think nginx is using AESNI by default.
Best Answer
The
openssl
command is salting your input and putting it in an OpenSSL encryption container. You could use the-nosalt
option, but it will reduce the security of your encryption. I know less about thegpg
command, but I'm pretty sure it's doing something similar. Its output is far too large to be just the word "apple" encrypted.