On Tue, Mar 10, 2020 at 10:59 AM Michael van Elst <mlel...@serpens.de> wrote: > > fr...@phoenix.owl.de (Frank Wille) writes: > > >> Something is using /dev/crypto. openssl would do that, but only if > >> you configure it. > > >Yes, our web-server is also listening on port 443 for several virtual hosts, > >so SSL is configured. > > It's not just SSL. openssl has its own crypto routines and you would only > use /dev/crypto when you want to use some accelerator hardware that can only > be accessed by a kernel driver. > > The problem here seems to be that the devcrypto engine is builtin and openssl > just loads every builtin engine with no knob to control that behaviour. > > I think the only option you have now is to prevent access to /dev/crypto. >
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcryptodevice could potentially override the use of that engine (if I'm understanding things correctly). The 200+ FDs might be one per apache child (if running prefork)?
