AW: AW: Performance Issue With OpenSSL 1.1.1c
Yay, there are some controversial discussions taking place on https://github.com/openssl/openssl/issues/9078 It would be great if you could join us and provide more details about the circumstances of your issue. In particular, information like kernel/os version and whether the significant startup delay is encountered only at early boot time or also when you start the daemon manually when the system is up and running. Matthias
Re: AW: Performance Issue With OpenSSL 1.1.1c
Hi, I opened an issue on GitHub to discuss this problem in more detail. https://github.com/openssl/openssl/issues/9078 It would be nice if you could join the discussion there. Matthias @Jay: in particular I'm interested to learn, which linux version and distribution you were using. On newer systems, `getentropy()` should be the method of choice, because it does not share the deficiencies of the `/dev/urandom` device. On 30.05.19 02:11, Dr. Matthias St. Pierre wrote: To workaround the /dev/random blocking issue, you can just add: -DDEVRANDOM="\"/dev/urandom\"" as a parameter to ./Configure This will remove the special handling of /dev/urandom and /dev/random in 1.1.1c. Tomáš, Jay, I'm afraid this suggestion won't help, because `DEVRANDOM_WAIT` is defined unconditionally in e_os.h: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/e_os.h#L30-L34 This means that the select() call will happen on linux independently of what `DEVRANDOM` is defined to be: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/crypto/rand/rand_unix.c#L509-L535 I think that pull request #8251 needs to be reconsidered. Give me one day or two, I'll create a GitHub issue for that and post the link here when it's ready. Matthias
AW: Performance Issue With OpenSSL 1.1.1c
Correction, Tomáš was correct: there is an ` # ifndef DEVRANDOM` surrounding the problematic code: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/e_os.h#L25-L34 Neverthelesss, I still think this code needs to be changed, because the seeding should just work correctly out-of-the-box without having to add special defines on the commandline. Matthias
AW: Performance Issue With OpenSSL 1.1.1c
> To workaround the /dev/random blocking issue, you can just add: > > -DDEVRANDOM="\"/dev/urandom\"" > > as a parameter to ./Configure > > This will remove the special handling of /dev/urandom and /dev/random > in 1.1.1c. Tomáš, Jay, I'm afraid this suggestion won't help, because `DEVRANDOM_WAIT` is defined unconditionally in e_os.h: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/e_os.h#L30-L34 This means that the select() call will happen on linux independently of what `DEVRANDOM` is defined to be: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/crypto/rand/rand_unix.c#L509-L535 I think that pull request #8251 needs to be reconsidered. Give me one day or two, I'll create a GitHub issue for that and post the link here when it's ready. Matthias
AW: Performance Issue With OpenSSL 1.1.1c
> I think I have tracked down the change in 1.1.1c that is causing this. > It is the addition of the DEVRANDOM_WAIT functionality for linux in > e_os.h and crypto/rand/rand_unix.c. lighttpd (libcrypto) is waiting in > a select() call on /dev/random. After this eventually wakes up, it then > reads from /dev/urandom. OpenSSL 1.1.1b did not do this, but instead > just read from /dev/urandom. Is there more information about this > change (i.e., a rationale)? I did not see anything in the CHANGES file > about it. The original discussions for this change can be found on GitHub: - issue #8215, fixed by pull request #8251 - issue #8416, fixed by pull request #8428 (see links below). And you are right, the change should have been mentioned in the CHANGES file. Apologies for that. HTH, Matthias https://github.com/openssl/openssl/issues/8215 https://github.com/openssl/openssl/pull/8251 https://github.com/openssl/openssl/issues/8416 https://github.com/openssl/openssl/pull/8428