On Tue, Mar 10, 2020 at 6:57 AM Frank Wille <fr...@phoenix.owl.de> wrote:
>
> Michael van Elst wrote:
>
> >> frank%phoenix.owl.de@localhost (Frank Wille) writes:
> >> [...]
> >> Were do they come from? Is that some kind of leak? What can I do (besides
> >> restarting Apache or the whole server)?
> >
> > Something is using /dev/crypto. openssl would do that, but only if
> > you configure it.
>
> Yes, our web-server is also listening on port 443 for several virtual hosts,
> so SSL is configured.
>
> But is it normal to create more than 200 crypto file descriptors for each
> httpd process? Then I would have to recompile PHP with a larger FD_SETSIZE,
> as it seems?
If it is OpenSSL and /dev/crypto handles, then something sounds a bit
sideways. OpenSSL is supposed to open the device once and share it
internally. From the head notes of engines/e_devcrypto.c:
$ cat engines/e_devcrypto.c
...
/*
* ONE global file descriptor for all sessions. This allows operations
* such as digest session data copying (see digest_copy()), but is also
* saner... why re-open /dev/crypto for every session?
*/
static int cfd = -1;
I believe OpenSSL 1.1.1 removed the engine.
If you build OpenSSL 1.1.x from source, I believe no-devcryptoeng will
remove it during configuration.
$ grep -IR devcryptoeng
...
configdata.pm: "devcryptoeng",
configdata.pm: "devcryptoeng" => "default",
configdata.pm: "devcryptoeng" => {
...
INSTALL.md:be disabled with no-devcryptoeng.
I'm not sure what to do with OpenSSL 1.0.2 and earlier.
Jeff
