[Touch-packages] [Bug 1620345] Re: Slow startup due to FIPS selftest if openssl loaded

Mon, 05 Sep 2016 09:01:14 -0700 

>From a quick isolated test, running

    #include <openssl/ssl.h>
    int main() {
        SSL_library_init();
        return 0;
    }

in

    time for i in `seq 1 1000`; do ./a.out; done

takes 15 seconds for me due to the FIPS_selftest() call. This is just
15ms per process start, but it adds up if you have a workload where
you're quickly spawning many processes.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1620345

Title:
  Slow startup due to FIPS selftest if openssl loaded

Status in openssl package in Ubuntu:
  New

Bug description:
  I recently noticed that the PHP testsuite runs significantly slower if
  openssl is enabled. E.g. running "make test TESTS=tests" takes 7
  seconds without openssl and 37 seconds with. This is a factor of five
  difference.

  After a quick check using callgrind, it turns out that the vast
  majority of the time is spent in performing a FIPS_selftest(). This
  was very surprising, and I was initially afraid that Ubuntu had
  enabled the OpenSSL FIPS mode, which is well known to degrade
  security. However, it seems that this is not the case, and Ubuntu has
  simply patched OpenSSL to always perform the FIPS_selftest(),
  independently of whether FIPS mode is used.

  I'm not entirely sure what should/can be done about this. I understand
  the motivation for always performing a self-test and that it is not a
  common workload to start a process many hundreds of times in a row to
  perform a small task. However, it should be noted that OpenSSL
  acknowledges [0] that the test is unnecessarily slow, because they
  cannot change the current implementation without invalidating the FIPS
  certification. This indicates that it should be possible to perform a
  cheaper self-test.

   [0]: https://www.openssl.org/docs/fipsnotes.html

  ---

  Description:  Ubuntu 16.04.1 LTS
  Release:      16.04

  libssl-dev:
    Installed: 1.0.2g-1ubuntu4.2
    Candidate: 1.0.2g-1ubuntu4.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1620345/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to