Reg solaris support for openssl 1.1.1b

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Reg solaris support for openssl 1.1.1b

ramakrushna mishra
Hi Dennis

Yes, 10-main.conf is modified for both the versions. 
Following are changes. 

<<< file 1: /view/rdl117_linuxx86_64/vobs_tools/src/openssl-1.1.1b/Configurations/10-main.conf@@/main/1
>>> file 2: 10-main.conf
********************************
-----[16 changed to 16]-----
<                                 ASFLAGS   => "/nologo /Zi",
---
>                                 ASFLAGS   => "/nologo",
-----[44 changed to 44]-----
<                                ASFLAGS   => "/nologo /Zi",
---
>                                ASFLAGS   => "/nologo",
-----[211 changed to 211]-----
<         ex_libs          => add("-lsocket -lnsl -ldl"),
---
>         ex_libs          => add("-lsocket -lnsl -ldl -lm -lrt"),
-----[1226 changed to 1226]-----
<         lib_cflags       => add("/Zi /Fdossl_static.pdb"),
---
>         lib_cflags       => add("/Fdossl_static.pdb"),
-----[1228-1229 changed to 1228-1229]-----
<         dso_cflags       => "/Zi /Fddso.pdb",
<         bin_cflags       => "/Zi /Fdapp.pdb",
---
>         dso_cflags       => "/Fddso.pdb",
>         bin_cflags       => "/Fdapp.pdb",

The error is coming for OPENSSL_sk_new_null which is changed in 1.1.1b compared to 1.1.1 with https://github.com/openssl/openssl/pull/7721
Can this be related ?

Thanks and Regards,
Ram Krushna


On Wed, Mar 27, 2019 at 4:07 PM <[hidden email]> wrote:
Send openssl-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."


Today's Topics:

   1. Re: Internal IP Exposed (Kyle Hamilton)
   2. Re: Reg solaris support for openssl 1.1.1b (ramakrushna mishra)
   3. Re: Reg solaris support for openssl 1.1.1b (Dennis Clarke)
   4. Re: Building OpenSSL 1.1.1b for WinCE700 (???? (Souju TANAKA))


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 Mar 2019 22:09:31 -0500
From: Kyle Hamilton <[hidden email]>
To: Abdul Qoyyuum <[hidden email]>
Cc: openssl-users <[hidden email]>
Subject: Re: Internal IP Exposed
Message-ID:
        <CAPMEXDY1UVrXFrfFJbFq=[hidden email]>
Content-Type: text/plain; charset="UTF-8"

That's a configuration issue with the servers, not an issue with the
openssl command itself.

There's no information on what the back-end HTTP server software is
being used.  If it were Apache, there would be a ServerName directive
that could change the server's idea of what name it should refer to
itself as.  I don't have information on other server software
configuration.

-Kyle H

On Sun, Mar 24, 2019 at 7:34 PM Abdul Qoyyuum
<[hidden email]> wrote:
>
> Hi all,
>
> New to the mailing list and a complete newbie to openssl and the likes. There's a ticket by a client that I'm new at and he claims that there's a security problem with the openssl command to his servers.
>
> Internal IP exposed after running a openssl (version 1.1.0j) connect command:
>
> openssl s_client -connect 103.XX.XXX.XX:10443 -quiet
>
> Where 103.XX.XXX.XX is a Public IP. And after it shows the certificates, typed the following:
>
> GET /images HTTP/1.0
>
> And hit enter twice, the following gets displayed:
>
> HTTP/1.0 301 Moved Permanently
> Date: Mon, 25 Mar 2019 00:10:13 GMT
> Server: xxxxxxxx-xxxxx
> Location: https://10.240.123.1:10443/images/
> Connection: close
> Content-Type: text/html; charset=utf-8
> X-Frame-Options: SAMEORIGIN
> Content-Security-Policy: frame-ancestors 'self'
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Strict-Transport-Security: max-age=28800
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>301 Moved Permanently</TITLE>
> </HEAD><BODY>
> <H1>Moved Permanently</H1>
> The document has moved <A HREF="https://10.240.123.1:10443/images/">here</A>.<P>
> </BODY></HTML>
> read:errno=0
>
> The 10.240.123.1 is an internal IP and it is exposed by this little method. Although not shown when using curl -kv -O command.
>
> Is there a way to cover up the "Location" or at least the internal IP from being exposed? Thanks.
>
> Sorry if this isn't clear or if this is the wrong place to ask this.
>
> --
> Abdul Qoyyuum Bin Haji Abdul Kadir
> HP No: +673 720 8043


------------------------------

Message: 2
Date: Tue, 26 Mar 2019 10:08:12 +0530
From: ramakrushna mishra <[hidden email]>
To: [hidden email]
Subject: Re: Reg solaris support for openssl 1.1.1b
Message-ID:
        <CAHgr=[hidden email]>
Content-Type: text/plain; charset="utf-8"

>
> Hi All,
>

Thanks for your responses.
I am able to build openssl 1.1.1 on my solaris and able to run "openssl
version".
I followed the same procedure for openssl 1.1.1b and when I run "openssl
version"  seeing the mentioned error. i.e
"ld.so.1: openssl: fatal: relocation error: file openssl: symbol
OPENSSL_sk_new_null: referenced symbol not found
Killed
".

So, How come it works with openssl 1.1.1 and not with 1.1.1b.
I am using the same machine and same procedure to configure and install it.
So, Is there anything different that need to be done for 1.1.1b version ?

Thanks and Regards,
Ram Krushna


>
> On Sat, Mar 16, 2019 at 6:20 AM <[hidden email]> wrote:
>
>> Send openssl-users mailing list submissions to
>>         [hidden email]
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://mta.openssl.org/mailman/listinfo/openssl-users
>> or, via email, send a message with subject or body 'help' to
>>         [hidden email]
>>
>> You can reach the person managing the list at
>>         [hidden email]
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of openssl-users digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Reg solaris support for openssl 1.1.1b (Jakob Bohm)
>>    5. Re: Reg solaris support for openssl 1.1.1b (Dennis Clarke)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 15 Mar 2019 18:19:53 +0100
>> From: Jakob Bohm <[hidden email]>
>> To: [hidden email]
>> Subject: Re: Reg solaris support for openssl 1.1.1b
>> Message-ID: <[hidden email]>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> On 15/03/2019 14:33, Dennis Clarke wrote:
>> > On 3/15/19 5:38 AM, Matthias St. Pierre wrote:
>> >> My guess is that your binary is loading the system's shared libraries.
>> >> To find out whether this is the case, try
>> >>
>> >>  ??? ldd bin/openssl
>> >>
>> >> If my assumption is correct, you might have to set the LD_LIBRARY_PATH
>> >> explicitely.
>> > Actually LD_LIBRARY_PATH is evil.
>> >
>> > The correct way to do this is to compile with a RUNPATH set in the
>> > output ELF files.
>> LD_LIBRARY_PATH overriding the compiled in RUNPATH is appropriate when
>> testing
>> a newly compiled binary before installing the libraries to their final
>> locations, perhaps
>> on the same, perhaps on another machine.
>>
>> P.S.
>> I don't known if the Solaris loader lets LD_LIBRARY_PATH override
>> RUNPATH as
>> presumed by the above answer.
>>
>> Enjoy
>>
>> Jakob
>> --
>> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
>> Transformervej 29, 2860 S?borg, Denmark.  Direct +45 31 13 16 10
>> This public discussion message is non-binding and may contain errors.
>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>
>>
>>
>> ------------------------------
>> Message: 5
>> Date: Fri, 15 Mar 2019 20:49:30 -0400
>> From: Dennis Clarke <[hidden email]>
>> To: [hidden email]
>> Subject: Re: Reg solaris support for openssl 1.1.1b
>> Message-ID: <[hidden email]>
>> Content-Type: text/plain; charset=utf-8
>>
>> On 3/15/19 1:19 PM, Jakob Bohm via openssl-users wrote:
>> > On 15/03/2019 14:33, Dennis Clarke wrote:
>> >> On 3/15/19 5:38 AM, Matthias St. Pierre wrote:
>> >>> My guess is that your binary is loading the system's shared libraries.
>> >>> To find out whether this is the case, try
>> >>>
>> >>> ???? ldd bin/openssl
>> >>>
>> >>> If my assumption is correct, you might have to set the LD_LIBRARY_PATH
>> >>> explicitely.
>> >> Actually LD_LIBRARY_PATH is evil.
>> >>
>> >> The correct way to do this is to compile with a RUNPATH set in the
>> >> output ELF files.
>> > LD_LIBRARY_PATH overriding the compiled in RUNPATH is appropriate when
>> > testing
>> > a newly compiled binary before installing the libraries to their final
>> > locations, perhaps
>> > on the same, perhaps on another machine.
>> >
>> > P.S.
>> > I don't known if the Solaris loader lets LD_LIBRARY_PATH override
>> > RUNPATH as
>> > presumed by the above answer.
>>
>> Yes it certainly does. Otherwise testing a new custom lib would be a
>> royal pain as opposed to just a pain.  Also most people still, after
>> twenty years, know what LD_LIBRARY_PATH env var is for and it is a waste
>> of breath trying to explain it after decades of watching folks skewer
>> themselves over and over and over ....
>>
>> dc
>>
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> openssl-users mailing list
>> [hidden email]
>> https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>> ------------------------------
>>
>> End of openssl-users Digest, Vol 52, Issue 19
>> *********************************************
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190326/09253e6e/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 26 Mar 2019 02:55:38 -0400
From: Dennis Clarke <[hidden email]>
To: [hidden email]
Subject: Re: Reg solaris support for openssl 1.1.1b
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8

On 3/26/19 12:38 AM, ramakrushna mishra wrote:
>     Hi All,
>
>
> Thanks for your responses.?
> I am able to build openssl 1.1.1 on my solaris and able to run "openssl
> version".
> I followed the same procedure for openssl 1.1.1b and when I run "openssl
> version"? seeing the mentioned error. i.e?
> "ld.so.1: openssl: fatal: relocation error: file openssl: symbol
> OPENSSL_sk_new_null: referenced symbol not found

Did you modify Configurations/10-main.conf ?



--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional


------------------------------

Message: 4
Date: Wed, 27 Mar 2019 19:33:44 +0900
From: ???? (Souju TANAKA) <[hidden email]>
To: [hidden email]
Subject: Re: Building OpenSSL 1.1.1b for WinCE700
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello,

It works with our custommized cURL code.
I wrote a detailed build instruction for CE.
  https://qiita.com/souju/items/94117c024862f57459c3

> It would be good if you created a github PR for this so the changes can be
> considered for inclusion.

Thank you. I post the PR.
  https://github.com/openssl/openssl/pull/8596

Regards,
Souju TANAKA


2019?3?19?(?) 18:39 Matt Caswell <[hidden email]>:

>
>
> On 19/03/2019 07:08, ???? wrote:
> > Hello,
> >
> > I have successfully build OpenSSL 1.1.1b (only libraries, no app) for
> > WINCE700-ARMV4I, though I don't do any tests. Here is what I did. I hope
> > original sources will be changed so as there is no need to change.
>
> It would be good if you created a github PR for this so the changes can be
> considered for inclusion.
>
> Matt
>
>
> >
> > 1. Modify wcecompat.
> >
> > Add an alias, "_access" for access() in wcecompat io.h as below.
> > --
> > #define access _wceaccess
> > #define _access _wceaccess
> > --
> >
> > 2. Set Environmental variables
> >
> > set OSVERSION=WCE700
> > set PLATFORM=VC-CE
> > set TARGETCPU=ARMV4I
> > set WCECOMPAT=C:\Users\dev\tanaka\wcecompat
> > set LIB=C:\Program Files (x86)\Microsoft Visual Studio
> > 9.0\VC\ATLMFC\LIB;C:\Program Files (x86)\Windows CE
> > Tools\SDKs\YOUR_SDK_NAME\Lib\ARMV4I;C:\Program Files\Microsoft
> > SDKs\Windows\v6.0A\Lib;C:\Program Files (x86)\Microsoft Visual Studio
> > 9.0\VC\ce\lib\ARMV4I;C:\Program Files (x86)\Microsoft Visual Studio
> 9.0\VC\lib
> > set INCLUDE=C:\Program Files (x86)\Windows CE
> > Tools\SDKs\YOUR_SDK_NAME\Include\ARMV4I;C:\Program Files (x86)\Microsoft
> Visual
> > Studio 9.0\VC\atlmfc\include;C:\Program Files (x86)\Microsoft Visual
> Studio
> > 9.0\VC\INCLUDE;C:\Program Files\Microsoft SDKs\Windows\v6.0A\include;
> > set Path=C:\WINCE700\sdk\bin\i386\arm;C:\Program Files (x86)\Microsoft
> Visual
> > Studio 9.0\Common7\Tools;C:\Program Files (x86)\Microsoft Visual Studio
> > 9.0\VC\VCPackages;C:\Program Files\Microsoft
> >
> SDKs\Windows\v6.0A\bin;C:\cygwin64\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program
> > Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE;C:\Program Files
> > (x86)\Microsoft Visual Studio 9.0\VC\BIN;%Path%
> > set LIBPATH=C:\Program Files (x86)\Microsoft Visual Studio
> > 9.0\VC\ATLMFC\LIB;"C:\Program Files (x86)\Windows CE
> > Tools\SDKs\YOUR_SDK_NAME\Lib\ARMV4I";C:\Program Files (x86)\Microsoft
> Visual
> > Studio 9.0\VC\lib;C:\Program Files (x86)\Microsoft Visual Studio
> > 9.0\VC\ce\lib\ARMV4I;
> >
> > 3. Configure
> >
> > (for ARM)(Configurations/windows-makefile.tmpl) Delete a line of
> "setargv.obj".
> > setargv.obj in C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\lib
> is for
> > x86 and cannot be linked with ARM objs.
> >
> > C:\Strawberry\perl\bin\perl Configure no-idea no-mdc2 no-rc5 no-asm
> no-ssl3
> > no-stdio no-async no-engine VC-CE
> >
> > Using full path to specify Strawberry perl. I recommend Strawberry perl
> here to
> > avoid error messages, I used 5.24.4.1-32bit.
> >
> > I added 3 options of "no-stdio" and "no-engine", "no-async". Because..
> >   * no-stdio: GetStdHandle() and STD_INPUT_HANDLE cannot be used in
> WinCE. (used
> > in apps\apps.c)
> >   * no-engine: Lack of CreatePipe() in WinCE (used in engines\e_dasync.c)
> >   * no-async: Lack of ConvertFiberToThread() in WinCE (used in
> > crypto\async\arch\async_win.c)
> > By "no-stdio" option, we build only libraries. No command line
> application are
> > generated.
> >
> > 4. Modify "makefile"
> >
> >   * Add -D_MSC_VER=1300 in "CFLAGS="
> >   * In "CNF_CPPFLAGS=", change -I"\$(WCECOMPAT)/include" to
> -I$(WCECOMPAT)/include
> >   * Change CNF_EX_LIBS=3 to CNF_EX_LIBS=ws2.lib crypt32.lib kernel32.lib
> > $(WCECOMPAT)\lib\wcecompat.lib $(WCECOMPAT)\lib\wcecompatex.lib
> corelibc.lib
> > coredll.lib
> >
> > 5. Modify C Source
> >
> > Comment out a line of "#  define stat    _stat" in
> >   crypto\conf\conf_def.c
> >   crypto\rand\randfile.c
> >   crypto\store\loader_file.c
> > Comment out a line of "#  define fstat   _fstat" in
> crypto\rand\randfile.c.
> >
> > (crypt/init.c 167l and 777l) For lack of GetModuleHandleEx() in CE,
> Change "#
> > ifdef DSO_WIN32" to "# if defined(DSO_WIN32) && !defined(_WIN32_WCE)"
> > -----------------
> > # ifdef DSO_WIN32
> >     {
> >         HMODULE handle = NULL;
> >         BOOL ret;
> >
> >         /* We don't use the DSO route for WIN32 because there is a
> better way */
> >         ret = GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS
> > -----------------
> >
> > (crypto\rand\randfile.c 257l) For lack of GetEnvironmentVariableW() in
> CE,
> > Change "#if defined(_WIN32) && defined(CP_UTF8)" to "#if defined(_WIN32)
> &&
> > defined(CP_UTF8) && !defined(_WIN32_WCE)"
> >
> > (for ARM)(include\internal\refcount.h)
> >   * Add "#include <winbase.h>" for InterlockedExchangeAdd().
> >   * (106l) In function CRYPTO_UP_REF() and CRYPTO_DOWN_REF(), change 2
> > "_InterlockedExchangeAdd()" to be "InterlockedExchangeAdd()". There is no
> > _InterlockedExchangeAdd() for non x86 in C:\Program Files (x86)\Windows
> CE
> > Tools\SDKs\YOUR_SDK_NAME\Include\Armv4i\winbase.h.
> >
> > (crypt/threads_win.c 27l) For lack of
> InitializeCriticalSectionAndSpinCount() in
> > CE, change
> > ------------------
> >     /* 0x400 is the spin count value suggested in the documentation */
> >     if (!InitializeCriticalSectionAndSpinCount(lock, 0x400)) {
> >         OPENSSL_free(lock);
> >         return NULL;
> >     }
> > ------------------
> > to
> > ------------------
> > #ifndef _WIN32_WCE
> >     /* 0x400 is the spin count value suggested in the documentation */
> >     if (!InitializeCriticalSectionAndSpinCount(lock, 0x400)) {
> >         OPENSSL_free(lock);
> >         return NULL;
> >     }
> > #else
> >     InitializeCriticalSection(lock);
> > #endif
> > ------------------
> >
> > 6. Build
> >
> > nmake
> >
> > Then we will get the following artifacts.
> >   libcrypto.lib
> >   libcrypto-1_1.dll
> >   libcrypto-1_1.pdb
> >   libssl.lib
> >   libssl-1_1.dll
> >   libssl-1_1.pdb
> >
> > Regards,
> > Soju TANAKA
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190327/9585737c/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.openssl.org/mailman/listinfo/openssl-users


------------------------------

End of openssl-users Digest, Vol 52, Issue 41
*********************************************
Reply | Threaded
Open this post in threaded view
|

Reg Speed test and Assembly code usage

ramakrushna mishra
Hi,

Could anyone please help me get the following information. 

-- How to verify that the openssl  is using the assembly code ( when asm is enabled) instead of the c code for the algorithms ? 
-- I m observing a small degradation (2 % for 16 byte size) for des-ede3 on openssl1.1.1 for Solaris. This might not be suggested to use the algorithm, but for learning purpose is there something that I can do to see if this can be improved. 

Thanks and Regards,
Ram Krushna
Reply | Threaded
Open this post in threaded view
|

Re: Reg Speed test and Assembly code usage

Dennis Clarke-2
On 4/4/19 3:32 AM, ramakrushna mishra wrote:

> Hi,
>
> Could anyone please help me get the following information. 
>
> -- How to verify that the openssl  is using the assembly code ( when asm
> is enabled) instead of the c code for the algorithms ? 
> -- I m observing a small degradation (2 % for 16 byte size) for des-ede3
> on openssl1.1.1 for Solaris. This might not be suggested to use the
> algorithm, but for learning purpose is there something that I can do to
> see if this can be improved. 

You will see plenty of lost performance on Solaris. It is a very very
slow old platform.  Also very little anyone can do to fix that.

For example here is a 15 year old Apple PowerMac :


hydra$ uname -a
FreeBSD hydra 13.0-CURRENT FreeBSD 13.0-CURRENT r344744 GENERIC  powerpc
hydra$ /usr/bin/openssl version
OpenSSL 1.1.1b-freebsd  26 Feb 2019
hydra$ /usr/bin/openssl speed rsa4096
Doing 4096 bits private rsa's for 10s: 83 4096 bits private RSA's in 10.02s
Doing 4096 bits public rsa's for 10s: 5808 4096 bits public RSA's in 10.00s
OpenSSL 1.1.1b-freebsd  26 Feb 2019
built on: reproducible build, date unspecified
options:bn(64,64) rc4(int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.120764s 0.001722s      8.3    580.8
hydra$



Here is a fairly new Oracle M3000 server :


s10sparc$ uname -a
SunOS corv 5.10 Generic_150400-64 sun4u sparc SUNW,SPARC-Enterprise

s10sparc$ /bin/sparcv9/openssl version
OpenSSL 1.0.2p  14 Aug 2018
s10sparc$ /bin/sparcv9/openssl speed rsa4096
Doing 4096 bit private rsa's for 10s: 86 4096 bit private RSA's in 10.06s
Doing 4096 bit public rsa's for 10s: 5896 4096 bit public RSA's in 10.00s
OpenSSL 1.0.2p  14 Aug 2018
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,int)
aes(partial) blowfish(ptr)
compiler: information not available
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.116977s 0.001696s      8.5    589.6
s10sparc$


An expensive Oracle Netra T4-1 is not much better.


s10sparc$ /usr/local/bin/openssl version
OpenSSL 1.1.1b  26 Feb 2019
s10sparc$ /usr/local/bin/openssl speed rsa4096
Doing 4096 bits private rsa's for 10s: 78 4096 bits private RSA's in 10.08s
Doing 4096 bits public rsa's for 10s: 8229 4096 bits public RSA's in 10.00s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Mar 26 06:51:39 2019 UTC
options:bn(64,32) rc4(char) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: /opt/developerstudio12.6/bin/cc -KPIC -m64 -Xa -g
-errfmt=error -erroff=%none -errshort=full -xstrconst -xildoff
-xmemalign=8s -xnolibmil -xcode=pic32 -xregs=no%appl -xlibmieee -mc
-ftrap=%none -xbuiltin=%none -xdebugformat=dwarf -xunroll=1 -xarch=sparc
-xdebugformat=dwarf -xstrconst -m64 -xarch=sparc -g -Xa -errfmt=error
-erroff=%none -errshort=full -xstrconst -xildoff -xmemalign=8s
-xnolibmil -xcode=pic32 -xregs=no%appl -xlibmieee -mc -ftrap=%none
-xbuiltin=%none -xunroll=1 -Qy -xdebugformat=dwarf -DFILIO_H -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_REENTRANT
-DNDEBUG -I/usr/local/include -D_POSIX_PTHREAD_SEMANTICS
-D_LARGEFILE64_SOURCE -D_TS_ERRNO
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.129231s 0.001215s      7.7    822.9
s10sparc$


Also a dirt cheap machine built from spare parts :


fbsd_amd64$
fbsd_amd64$ uname -a
FreeBSD vesta 13.0-CURRENT FreeBSD 13.0-CURRENT r345173 GENERIC  amd64
fbsd_amd64$ /usr/bin/openssl version
OpenSSL 1.1.1b-freebsd  26 Feb 2019
fbsd_amd64$ /usr/bin/openssl speed rsa4096
Doing 4096 bits private rsa's for 10s: 638 4096 bits private RSA's in 10.07s
Doing 4096 bits public rsa's for 10s: 43106 4096 bits public RSA's in 10.03s
OpenSSL 1.1.1b-freebsd  26 Feb 2019
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.015784s 0.000233s     63.4   4297.2
fbsd_amd64$


Don't go looking for performance on Solaris anymore.  It isn't there.


Dennis