Hi William, William Lallemand <[email protected]> wrote on 03/05/2019 11:06:41:
> Could you send us as an attachment or using git-send-email because > your mailer seems to mess with the whitespaces and tabs in the patch. > Also add a line at the end of the commit message indicating in which version > this patch should be backported. Thanks! Apologies! I have attached it now, with a backports line. > > * My reading of RAND_keep_random_devices_open is that it expects OpenSSL > > rand_lib initialisation to have occurred already, and it will do it if > > not. > > So it seems possible that this function call could incur some delays if > > rand_lib is not yet initialised and the entropy sources cause delay, > > etc. > > However, I don't know how big a concern that is. Any thoughts? > > In this case you could check the variables global.ssl_used_frontend && > global.ssl_used_backend to ensure that SSL was used in the configuration. > When those variables are not set, the random is not initialized. I did this in the attached patch. However, I checked the current implementation in OpenSSL and I overstated the problem before: the initialisation consists of constructing three locks and initialising a short array of structs, with no obvious usage of random devices. Therefore, it should not be very expensive, although it is still unnecessary. For the sake of the list, the patch now looks like: +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) + if (global.ssl_used_frontend || global.ssl_used_backend) + /* close random device FDs */ + RAND_keep_random_devices_open(0); +#endif and requests a backport to 1.8 and 1.9 where we noticed this issue (and which include the re-exec for reload code, if I followed its history thoroughly). Rob Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
0001-BUG-MINOR-mworker-close-OpenSSL-FDs-on-reload.patch
Description: Binary data
