1

I'm trying to use AES-128-CBC-HMAC-SHA256 but this cipher-algorithm isn't available on a VM on a specific hosting provider.

The OS, installed packages, Kernel, openssl version, and the like are the same on both VMs (different provider).

Does this have to do with specific CPU flags?

This is the diff of the openssl list-cipher-algorithms command run on 2 servers on different providers:

@@ -1,4 +1,6 @@ AES-128-CBC +AES-128-CBC-HMAC-SHA1 +AES-128-CBC-HMAC-SHA256 AES-128-CFB AES-128-CFB1 AES-128-CFB8 @@ -14,6 +16,8 @@ AES-192-ECB AES-192-OFB AES-256-CBC +AES-256-CBC-HMAC-SHA1 +AES-256-CBC-HMAC-SHA256 AES-256-CFB AES-256-CFB1 AES-256-CFB8 @@ -102,6 +106,8 @@ SEED-ECB SEED-OFB AES-128-CBC +AES-128-CBC-HMAC-SHA1 +AES-128-CBC-HMAC-SHA256 id-aes128-CCM AES-128-CFB AES-128-CFB1 @@ -121,6 +127,8 @@ id-aes192-GCM AES-192-OFB AES-256-CBC +AES-256-CBC-HMAC-SHA1 +AES-256-CBC-HMAC-SHA256 id-aes256-CCM AES-256-CFB AES-256-CFB1

I've searched a lot but couldn't find any hint about ciphers depending on specific hardware. Just that specific CPU capabilities speed up some algorithms.

Any hint on how I could use these cipher-algorithms would be much appreciated :)

Erik
  • 13
  • 2
  • Are you sure the kernels and everything are the same? How did you check? Simply looking at the version number is not enough. Might need to compare checksums or something. – Zoredache Jul 11 '19 at 18:28
  • @Zoredache: All systems are set-up using the same operating system and versions. And yes, even the md5sum of both kernel images are identical. The OS is Amazon linux 2 and the kernel version used is 4.14.128-112.105.amzn2.x86_64 – Erik Jul 12 '19 at 08:51

1 Answers1

1

I had similar issue, AES-128-CBC-HMAC-SHA256 was missing on one VM but available on other VM running same OS with same kernel. I had to vmotion VM off to ESXi running on AMD Opteron 6380 which supports aes flag.

#grep -m1 -o aes /proc/cpuinfo aes

Alap Shah
  • 26
  • 1