In message <[EMAIL PROTECTED]> on Fri, 21 Nov 2003 01:33:01 +0100, "Dr. Stephen Henson" <[EMAIL PROTECTED]> said:
steve> On Fri, Nov 21, 2003, Richard Levitte - VMS Whacker wrote: steve> steve> > Yesterday, people at Infrasec Sweden AB (http://www.infrasec.se/) and steve> > me spent the better part of the day tracing through a program that steve> > uses SSL with an nCipher box and figuring out what exactly made about steve> > every 15th SSL_accept stall for half a second. We guessed there was steve> > something happening with creating session keys, so we took a closer steve> > look at random number generation, and lo and behold, at every stall, steve> > we saw RAND_bytes stall as well (about .4 s). steve> > steve> > The stall might not be visible if it wasn't for a multithreaded server steve> > that gets harrassed with a ton of requests (all without any reusable steve> > information) per second. Still, the stalls we saw were very clear steve> > performance degradations. steve> > steve> > So, an idea could be, at least for the hw_ncipher.c/e_ncipher.c code steve> > to use the nCipher RNG only to seed the internal OpenSSL pool. We steve> > made a hack yesterday that gave exactly that effect, and it gave much steve> > better performance than the .5s stalls about every 15th request :). steve> > steve> > Thoughts? steve> > steve> steve> Was the application doing this because it set the nCipher box to be the steve> default RNG or was it some automatic behaviour when an nCipher box was steve> detected? It was a result of 'ENGINE *e = ENGINE_by_id("chil")' followed by 'ENGINE_set_default(e,ENGINE_METHOD_ALL)'. ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
