On Fri, 10 May 2002, Joe Orton wrote:
> On Fri, May 10, 2002 at 05:51:04PM +0100, Noel O'Kelly wrote:
> > We have a report of a problem from 2.8.6 onwards due to a change in the
> > seeding of the PRNG which halves the
> > performance of SSL requests. Any update on this ???
>
> Hi, here's the fix we're using...
>
> Submitted by: Nalin Dahyabhai <[EMAIL PROTECTED]>
>
> --- mod_ssl/pkg.sslmod/ssl_engine_rand.c
> +++ mod_ssl/pkg.sslmod/ssl_engine_rand.c
> @@ -156,6 +156,9 @@
> */
> if (ap_scoreboard_image != NULL && SCOREBOARD_SIZE > 16) {
> m = ((SCOREBOARD_SIZE / 2) - 1);
> + if (m > 1024) {
> + m = 1024;
> + }
> n = ssl_rand_choosenum(0, m);
> RAND_seed(((unsigned char *)ap_scoreboard_image)+n, m);
> nDone += m;
FYI, this problem does not affect Apache 2.0+mod_ssl. It _would_ have,
because I forward-ported this change to Apache 2.0 between 2.0.32 and
2.0.33.
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_rand.c.diff?r1=1.11&r2=1.12
But the group consensus was that we should *not* be using the scoreboard a
source of entropy at all because it's too easy for the client to
manipulate. And then there's this problem. At any rate, the patch was
reverted out of Apache 2.0 prior to 2.0.33.
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_rand.c.diff?r1=1.12&r2=1.13
I'd suggest the same change in 2.8.9-dev: just get rid of the scoreboard
as a source of entropy altogether.
--Cliff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
