Yesterday, people at Infrasec Sweden AB (http://www.infrasec.se/) and me spent the better part of the day tracing through a program that uses SSL with an nCipher box and figuring out what exactly made about every 15th SSL_accept stall for half a second. We guessed there was something happening with creating session keys, so we took a closer look at random number generation, and lo and behold, at every stall, we saw RAND_bytes stall as well (about .4 s).
The stall might not be visible if it wasn't for a multithreaded server that gets harrassed with a ton of requests (all without any reusable information) per second. Still, the stalls we saw were very clear performance degradations. So, an idea could be, at least for the hw_ncipher.c/e_ncipher.c code to use the nCipher RNG only to seed the internal OpenSSL pool. We made a hack yesterday that gave exactly that effect, and it gave much better performance than the .5s stalls about every 15th request :). Thoughts? ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
