Re: SSL RAND entropy init takes 30-60 depending on implementation
Date: Wed, 9 Jun 2004 08:43:17 +0200 (CEST)
On Tue, 8 Jun 2004, listman wrote:
> I've looked and found that entropy init occurs on the first successfull
> SSL connection.
> RAND_screen takes about 60 seconds on a P4 2.4 ghz RAND_add & RAND_status
> takes about 30 seconds on the same machine. Which is a long time to wait on
> the first SSL connection.
I figure this is only when using Windows? I've never seen anything but swift
operation on my various unix-uses. Also, I get the feeling most people do not
get this major slowdown as you experience, as then people would've been
complaining louder earlier...
> I would like an additional exported function that would allow early init of
> the SSL entropy data ( ie before a libcurl handle is opened ). I'm willing
> to submit a patch if there is interest.
We could in fact do the seeding already when curl_global_init() sets up the
SSL stuff. If a specific bit is set. The benefit I've seen with doing it on
the first SSL connect is that if you never do any SSL connects you never waste
any time doing the seeding.
> What are people's opinion of using
> on the windows plaform instead of RAND_screen?
I could indeed consider changing how the entropy is gathered, but this is
security stuff so it takes a great deal of consideration and proper research
first. I suggest you first take this up with the proper OpenSSL people to
figure out what they consider regarding the improving of this situation.
> openssl docs state that RAND_screen should not be used on a non-interactive
> machine such as a windows server.
The openssl docs unfortunately is and was in a sorry state. Most good OpenSSL
facts are obtained by asking people or reading source code, IMHO.
But this is news to me. So we should replace the RAND_screen() usage with
something else indeed!
-- Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se Dedicated custom curl help for hire: http://haxx.se/curl.htmlReceived on 2004-06-09