Suggestion. Do not wait until you establish your first connection to call RAND_poll(). Initializae the PRNG as part of the startup of your app or in a background thread.
> Greetings. > > The first SSL connection in my application was taking some 10 to 16 > seconds to return. Thereafter, subsequent SSL connections would > complete and return immediately. > > I eventually traced the culprit to RAND_poll() in rand_win.c. > Specifically, it was the part of RAND_poll() that walks through the > list of allocated blocks on the heap(s); this heap walk was consuming > almost all of those 16 seconds. > > I do have a large application, and there were no doubt several heaps, > each with many allocated blocks. I see that there was code in place > to limit the number of blocks traversed per heap to 50, but there was > no limit on the number of separate heaps that may be traversed. In > fact, it was visiting some 500 blocks total in my case. > > (The limit of 50 blocks per heap was as of version 0.9.6d. I note > that by 0.9.7-beta3 someone has upped that limit to 80, worsening my > problem.) > > Is it really necessary to visit so many blocks? I put in a quick hack > to apply the 50-block limit to the total number of blocks, rather than > per heap; this makes it take maybe 2 to 3 seconds instead, which is > still pretty slow but at least it's tolerable. (Apparently the > heap-walking routines in Win2000 are quite slow.) I am concerned that > someone recently felt the need to raise the count to 80, however. > What affect will capping this number have on the security of my > transactions? > > Perhaps the limit was originally meant to apply to the total number > anyway, and this was just an oversight? It doesn't make a whole lot > of sense to limit the number of blocks visited per heap, without also > limiting the number of heaps. > > Do you have any advice? > > Many thanks, > David > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
