On Fri, Nov 21, 2003, Richard Levitte - VMS Whacker wrote: > Yesterday, people at Infrasec Sweden AB (http://www.infrasec.se/) and > me spent the better part of the day tracing through a program that > uses SSL with an nCipher box and figuring out what exactly made about > every 15th SSL_accept stall for half a second. We guessed there was > something happening with creating session keys, so we took a closer > look at random number generation, and lo and behold, at every stall, > we saw RAND_bytes stall as well (about .4 s). > > The stall might not be visible if it wasn't for a multithreaded server > that gets harrassed with a ton of requests (all without any reusable > information) per second. Still, the stalls we saw were very clear > performance degradations. > > So, an idea could be, at least for the hw_ncipher.c/e_ncipher.c code > to use the nCipher RNG only to seed the internal OpenSSL pool. We > made a hack yesterday that gave exactly that effect, and it gave much > better performance than the .5s stalls about every 15th request :). > > Thoughts? >
Was the application doing this because it set the nCipher box to be the default RNG or was it some automatic behaviour when an nCipher box was detected? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
