Nguyen Thai Ngoc Duy <[email protected]> writes:
> GnuTLS's RSA key generation time is really long, making it barely
> usable in real life (you would not want to wait half an hour for a new
> https site you visit).
Have you raised a bug report with the GnuTLS people? I am using the
default configuration of GnuTLS so if it is slow then the problem is
with them.
> I tried "openssl rsa 1024" and it took only a
> few seconds. How about dropping GnuTLS support in favor of OpenSSL? I
> made a patch, which simply calls "openssl rsa 1024" to generate
> private keys. It worked really well I did not have to wait while
> surfing https sites.
The reason that I use GnuTLS is because the license better matches the
license of WWWOFFLE (which is the GPL). GnuTLS uses the LGPL license
but OpenSSL uses a BSD type of certificate. The OpenSSL FAQ has a
question about using OpenSSL in GPL software:
| * Can I use OpenSSL with GPL software?
|
| On many systems including the major Linux and BSD distributions, yes (the
| GPL does not place restrictions on using libraries that are part of the
| normal operating system distribution).
|
| On other systems, the situation is less clear. Some GPL software copyright
| holders claim that you infringe on their rights if you use OpenSSL with
| their software on operating systems that don't normally include OpenSSL.
|
| If you develop open source software that uses OpenSSL, you may find it
| useful to choose an other license than the GPL, or state explicitly that
| "This program is released under the GPL with the additional exemption that
| compiling, linking, and/or using OpenSSL is allowed." If you are using
| GPL software developed by others, you may want to ask the copyright holder
| for permission to use their software with OpenSSL.
> If it's not feasible to adapt openssl, how about an option to reuse
> existing private keys? It makes system much weaker, but for a single
> user system like mine, I don't really care.
The certificates are all unique to the server that they are pretending
to be for. They cannot be re-used.
The new version of GnuTLS (newer than the one that was available when
I added GnuTLS support to WWWOFFLE) is also very quick to generate a
key. From researching this I see that it is possible to use a less
good random number source which is quicker at the expense of being
less secure.
This patch seems to fix the problem - the only problem remaining is
that there is a good reason that the default is not to do things this
way.
-------------------- certificates.c patch --------------------
--- certificates.c 2007/07/08 17:52:39 1.32
+++ certificates.c 2009/03/13 18:48:12
@@ -43,6 +43,7 @@
#if USE_GNUTLS
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <gcrypt.h>
#endif
#include "wwwoffle.h"
@@ -125,6 +126,10 @@
gnutls_global_init();
initialised=1;
+ /* Use faster but less secure key generation. */
+
+ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM,0);
+
/* Create the certificates directory if needed */
if(stat("certificates",&buf))
-------------------- certificates.c patch --------------------
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [email protected]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
