Re: Slow crypto initialization.

[Jake Goulding]

Thanks for the information about the rt address. We sent the
explanation and patch as you suggested, and can now see the issue on
the tracker list. However, no one has commented on it. Are there
additional steps we can take to further the process of accepting the
patch?

Thanks!

Jake Goulding | Software Engineer
gould...@vivisimo.com | Connect: www.vivisimo.com
Vivisimo - Information Optimized

- Ger Hobbelt g...@hobbelt.com wrote:

 Don't be sorry, this is great work!! I'm glad the culprit has been
 found (and fixed)!
 
 BTW: To help the OpenSSL core team help track and fix this, it would
 be good to submit your message + patch to r...@openssl.org so it ends up
 as an issue ticket in the tracker and this material does not disappear
 off the horizon of an ever progressing discussion list. A reference to
 this email thread in the RT would be handy, e.g.:
 http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire
 thread is easily viewable as a set of forum messages there, so one
 page carries all)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Slow crypto initialization.

[Kyle Hamilton]

 The OpenSSL development team typically don't comment on a request until
they've fixed it.  (I believe this is poor customer service, but I
also believe that I'm not entitled to good customer service until I've
paid for it.)

What appears to happen is this:

1) bug submitter sends an email to r...@openssl.org
2) rt records it, along with any attached patches, and mails openssl-dev
and the core committers
3) One of the core committers (eventually) looks at it
4) One of the core committers (eventually) integrates it
5) The core committer comments on the bug about when the patch was
checked in, or other pertinent details
6) Eventually, the next release of OpenSSL comes out, with the patch
included.

OpenSSL isn't an open open-source software, in that the core
committers appear to maintain a separate mailing list where they
coordinate how they're working on new pieces and how they're supposed to
interact.  (If I had to guess, I'd think that this was primarily done
for the FIPS validation effort [since the CMVP is used to
non-open-source development strategies], but it might have been that too
many people without any knowledge of security were trying to suggest
things that were completely and inexplicably just not getting the
concepts of security is a chain of components, which is only as strong
as its weakest link.  I am not a member of the core committing team,
and in fact I have no direct correspondence with them, so these are
guesses.)

It would be nice to interview the developers, and ask them what's
different in 1.0.0 over 0.9.8, as well as to get an idea of their plans
for the future and some of the flavors of their personalities.  However,
I'm also not a journalist, so I'm not the appropriate person to do that,
either.

However: the best way to add comments (including comments on how long
it's taking to process your patch) to your bug report is not to complain
on the openssl-users list, it's to reply to r...@openssl.org with your bug
number in the Subject line.  That will cause it to add your
correspondence to its record, and bounce it to openssl-dev and all the
developers.

I wish there were a customer service organization for it as good as
Debian's... but there are other issues there.

-Kyle H

On 7/27/10 1:31 PM, Jake Goulding wrote:
 Thanks for the information about the rt address. We sent the
 explanation and patch as you suggested, and can now see the issue on
 the tracker list. However, no one has commented on it. Are there
 additional steps we can take to further the process of accepting the
 patch?

 Thanks!

 Jake Goulding | Software Engineer
 gould...@vivisimo.com | Connect: www.vivisimo.com
 Vivisimo - Information Optimized

 - Ger Hobbelt g...@hobbelt.com wrote:

 Don't be sorry, this is great work!! I'm glad the culprit has been
 found (and fixed)!

 BTW: To help the OpenSSL core team help track and fix this, it would
 be good to submit your message + patch to r...@openssl.org so it ends up
 as an issue ticket in the tracker and this material does not disappear
 off the horizon of an ever progressing discussion list. A reference to
 this email thread in the RT would be handy, e.g.:
 http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire
 thread is easily viewable as a set of forum messages there, so one
 page carries all)
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Slow crypto initialization.

[Ger Hobbelt]

Don't be sorry, this is great work!! I'm glad the culprit has been found
(and fixed)!

BTW: To help the OpenSSL core team help track and fix this, it would be good
to submit your message + patch to r...@openssl.org so it ends up as an issue
ticket in the tracker and this material does not disappear off the horizon
of an ever progressing discussion list. A reference to this email thread in
the RT would be handy, e.g.:
http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire thread is
easily viewable as a set of forum messages there, so one page carries all)


On Fri, Jul 2, 2010 at 9:13 PM, Jake Goulding gould...@vivisimo.com wrote:



-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web:http://www.hobbelt.com/
   http://www.hebbut.net/
mail:   g...@hobbelt.com
mobile: +31-6-11 120 978
--

Re: Slow crypto initialization.

[Jake Goulding]

To start off with, we're sorry for any confusion we caused, but this
issue does not have any interaction with the heap-walking code. The
problem definitely has to do with the readscreen function. Making
readscreen() a no-op decreases initialization time by 3 seconds.

Delving more into the issue, we added debug prints to measure the
timing [1] of various sections of readscreen(). For our particular
case, the inner loop is called 47 times. Inside the loop, each
invocation of GetBitmapBits takes about 78ms. The total runtime of
readscreen alone was 3640ms.

The MSDN page indicates that GetBitmapBits is a 16-bit Windows
compatibility function [2]. Some random web searches seem to indicate
that it has to go through multiple layers of compatibility code,
involving acquiring a global lock of some kind.

The same MSDN page points to the suggested replacement function,
GetDIBits [3].

Please find attached a patch to modify readscreen to use the newer
GetDIBits function. On our problem machine, this decreases the time
taken in readscreen() to 94ms. The majority of the code in the patch
comes from a MSDN example on device contexts [4].

To verify that the new code functions identically, we modified the
original code and printed out the hex of the hashed data. For each
chunk of framebuffer, the hash is
1adc95bebe9eea8c112d40cd4ab7a8d75c4f961, in both the sets of code.

Of special note is that this code runs in the context of the anonymous
IIS user, which is unlikely to have a useful screen. One might wonder
how often this happens. Presumably, user-mode software can actually
access the screen, but server-type software will not have a screen.

Please let me know if we can provide further data or help. Any
comments, insight, or suggestions on the patch are appreciated.

Thanks!

[1] The timing information was provided by the Windows function
GetSystemTimeAsFileTime.
[2] http://msdn.microsoft.com/en-us/library/dd144850(VS.85).aspx
[3] http://msdn.microsoft.com/en-us/library/dd144879(v=VS.85).aspx
[4] http://msdn.microsoft.com/en-us/library/dd183402(v=VS.85).aspx

Jake Goulding | Software Engineer
gould...@vivisimo.com | Connect: www.vivisimo.com
Vivisimo - Information Optimized

- Brian Makin ma...@vivisimo.com wrote:

 This is Windows 2003, 64 bit, and it's definitely in RAND_screen.
 I'm trying to move things to 1.0.0a now.commit 3e66cd55c48596fb42da9c98635a347a5159eec2
Author: Jake Goulding gould...@vivisimo.com
Date:   Fri Jul 2 14:42:32 2010 -0400

Update Windows function that gets the bits of the screen

diff --git a/source/openssl-0.9.8l/crypto/rand/rand_win.c b/source/openssl-0.9.8l/crypto/rand/rand_win.c
index 00dbe42..11394af 100644
--- a/source/openssl-0.9.8l/crypto/rand/rand_win.c
+++ b/source/openssl-0.9.8l/crypto/rand/rand_win.c
@@ -690,9 +690,7 @@ static void readscreen(void)
 {
 #if !defined(OPENSSL_SYS_WINCE)  !defined(OPENSSL_SYS_WIN32_CYGWIN)
   HDC		hScrDC;		/* screen DC */
-  HDC		hMemDC;		/* memory DC */
   HBITMAP	hBitmap;	/* handle for our bitmap */
-  HBITMAP	hOldBitmap;	/* handle for previous bitmap */
   BITMAP	bm;		/* bitmap properties */
   unsigned int	size;		/* size of bitmap */
   char		*bmbits;	/* contents of bitmap */
@@ -700,13 +698,13 @@ static void readscreen(void)
   int		h;		/* screen height */
   int		y;		/* y-coordinate of screen lines to grab */
   int		n = 16;		/* number of screen lines to grab at a time */
+  BITMAPINFOHEADER   bi;	/* info about the bitmap  */
 
   if (GetVersion() = 0x8000 || !OPENSSL_isservice())
 return;
 
-  /* Create a screen DC and a memory DC compatible to screen DC */
-  hScrDC = CreateDC(TEXT(DISPLAY), NULL, NULL, NULL);
-  hMemDC = CreateCompatibleDC(hScrDC);
+  /* Get a reference to the screen DC */
+  hScrDC = GetDC(NULL);
 
   /* Get screen resolution */
   w = GetDeviceCaps(hScrDC, HORZRES);
@@ -715,13 +713,22 @@ static void readscreen(void)
   /* Create a bitmap compatible with the screen DC */
   hBitmap = CreateCompatibleBitmap(hScrDC, w, n);
 
-  /* Select new bitmap into memory DC */
-  hOldBitmap = SelectObject(hMemDC, hBitmap);
-
   /* Get bitmap properties */
   GetObject(hBitmap, sizeof(BITMAP), (LPSTR)bm);
   size = (unsigned int)bm.bmWidthBytes * bm.bmHeight * bm.bmPlanes;
 
+  bi.biSize = sizeof(BITMAPINFOHEADER);
+  bi.biWidth = bm.bmWidth;
+  bi.biHeight = bm.bmHeight;
+  bi.biPlanes = bm.bmPlanes;
+  bi.biBitCount = bm.bmBitsPixel;
+  bi.biCompression = BI_RGB;
+  bi.biSizeImage = 0;
+  bi.biXPelsPerMeter = 0;
+  bi.biYPelsPerMeter = 0;
+  bi.biClrUsed = 0;
+  bi.biClrImportant = 0;
+
   bmbits = OPENSSL_malloc(size);
   if (bmbits) {
 /* Now go through the whole screen, repeatedly grabbing n lines */
@@ -729,11 +736,9 @@ static void readscreen(void)
 	{
 	unsigned char md[MD_DIGEST_LENGTH];
 
-	/* Bitblt screen DC to memory DC */
-	BitBlt(hMemDC, 0, 0, w, n, hScrDC, 0, y, SRCCOPY);
-
-	/* Copy bitmap bits from memory DC to bmbits */
-	GetBitmapBits(hBitmap, size, bmbits);
+	/* Copy the bits of the 

Re: Slow crypto initialization.

[Ger Hobbelt]

On Wed, Jun 30, 2010 at 9:12 PM, Brian Makin ma...@vivisimo.com wrote:


 Thank you... this is mostly what I expected.
 In our case we having a problem with a CGI program so the response time
 is important and initialization happens many times.

 We may just have to hope no other boxes display this behavior :)


I hadn't thought about the Win7 screen issue mentioned by Dr. Henson as you
said you had several machines (of, and I assume this, similar make, OS wise)
and only one playing up, which is a symptom I have learned to associate with
the Rand_poll() heap walking issue. Which doesn't say I'm right, so checking
makes sure here.

Since, in your case, the timeout cost is significant (as it's happening in a
CGI app), it's worth checking out which is it on your box. I'd  be
interested to hear whether it's the heapwalk loop or the (IIRC)
read_screen() itself causing the delay. (I bet on the former as Win7 ~~
Server2008 in this and you mentioned you're running on 2003)



[OT here] just a thought but since you're init-ing and exit-ing OPenSSL
repeatedly due to starting and exiting the CGI exe, you may consider
'improving your random pool over time' by adding code in the CGI to dump the
random pool to file (open for write and exclusive access, just shrug and
don't write at all when the OS says another instance is already /writing/,
this isn't about keeping everything, best effort is what we're after) at the
end of the CGI run, while RAND_add()ing the file content at CGI start. Note
that I say RAND_add() so this loading some 'unknown' amount of previously
gathered entropy from a file doesn't replace the 'regular' entropy gathering
that happens which each start!

The thought here is that you can alleviate any suspected reduction in
entropy gathering 'quality' - as sources are removed from the gathering - by
accumulating the gathered entropy over an extended time, surpassing the CGI
run-time lifetime boundaries by 'persisting' entropy gathered so far.
The whole file I/O thing is best effort based so for multiple CGI instances
running in parallel only one gets to 'win' and the collection in the other
instances are 'lost', but that's okay, in a way, as we're considering longer
term here, where a CGI instance I(t+n) now gets to have a /chance/ at
obtaining more entropy than it would on its own, thanks to the successful
persisting action by previous instance I(t) (instance 'I' at time 't'). [An
alternative to classic fopen/fwrite/fclose might be memory mapped I/O which
shared write access; no interprocess locking needed as we don't care who
gets to write his stuff in there, just as long as it's happening fast and we
don't run the risk of a completely zeroed file content or some such
nastiness.]

It's not ideal, but it at least helps cover your tracks when you cut out the
offending source in OpenSSL itself.


-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--
web:http://www.hobbelt.com/
   http://www.hebbut.net/
mail:   g...@hobbelt.com
mobile: +31-6-11 120 978
--

Re: Slow crypto initialization.

[Jean-Marc Desperrier]

Ger Hobbelt wrote:

a symptom I have learned to associate with the Rand_poll() heap walking
issue.


AFAIR some time ago there was a problem that *just the first call* to 
the heap walking function would, under 64 bits Windows, take second in 
some circumstances. That's clearly a bug, and only Microsoft can do 
something about it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Slow crypto initialization.

[Brian Makin]

I am seeing a very slow initialization on a single Windows 2003 box with
openssl-0.9.8l.

During initialization the function RAND_screen gets called.  This
effectively hashes the frame buffer to generate entropy.  In our case we
are running as an IIS user and I'm not even sure what screen it's
getting.

This function takes on the order of 3 seconds.

We have other identical boxes which are behaving correctly and a single
box which is very slow.

Two questions.
1. It appears that this is deprecated so would it be reasonable to
simply remove it?

2. Does anyone have any idea why this function is misbehaving?

-- 
BRIAN MAKIN
Senior Software Engineer
ma...@vivisimo.com

Vivisimo [Search Done Right™]
1710 Murray Avenue
Pittsburgh, PA 15217 USA
tel: +1.412.422.2499
vivisimo.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Slow crypto initialization.

[Ger Hobbelt]

:-( I hope I recall correctly that what I mention next is indeed stuff
happening in RAND_screen()... IIRC RAND_screen() isn't 'only' reading the
screen but also doing a system-level heap traversal and a few other things
and it was exactly that system-level heap traversal that slowed a few
spurious Win boxes down to a snail's pace, so my take is it doing that to
yours too.
Has featured a few times here; there's a a known but quite unpredictable
issue in the Windows specific heap walking code in there (I'd have to check
the code to see again which calls it were, exactly); there's been a patch to
at least limit the scan to an upper bound in time and as with anything
entropy related, there's always the question 'is it really random?' or
better: 'is it good enough random?'

The technical (software) part of the issue is that the problem occurs only
on some machines and is quite unpredictable in where it might pop up and
when; since OpenSSL accesses some Win-internal structures there, which have
been documented to some degree, the problem is 'known' in that we know it
can happen, and a few fixes have been added to the code to at least limit
the bother  to an upper bound, but the issue of 'slow' isn't exactly
/fixable/: turns out the machine is spending all that time inside the
Windows OS itself and OpenSSL has no control over that, once it's called
that one Win API. Some boxes just take ages in there for unknown reasons.


Depending on what your servers do, the 'making certain' move re entropy is
to connect a hardware entropy source to the box, but that's probably
off-topic here (unless it's an IIS webserver working in a military/banking
setting). Anyway, removing [semi-]entropy sources /is/ an option, but it's
dangerous as removing them one by one in the end delivers zero entropy and
we've to thank a Debian fellow for [accidentally, but /quite/ noticably]
showing everyone what happens when you like cleaning up so much you lose a
suddenly-after-the-fact significant chunk of entropy gathering while your
streetcred is in the can, permanently.

Personally, I wouldn't even bother about those 3 secs and let it do what it
wants doing, as they [the 3 secs] only happen at library /init/ time, i.e.
server [re]start. Of course, there'll be plenty who say 'just remove the
code', but it gets quite inconclusive if you only count the 'votes' from
security/cryptography knowledgable folks. And, no, that heap walk in
RAND_screen() isn't a big source of entropy, probably small, rather, but you
grab what you can, when you don't go the hardware entropy source route: you
have to realize that you're 'faking' the whole entropy thing right there,
all the way, so the game isn't about entropy-as-is but about making it
bloody dang hard for any hacker to predict what your 'random' pool looks
like at time t. There are no hard and fast answers to the question 'when
have I done enough gathering?'   And RAND_Screen() does add several chunks
of unpredictability to that game. Now how many bits of /entropy/ it's
delivering, I won't (and can't) say (OpenSSL takes a guess, but that's all);
it's checking several sources and eliminating sources [one at a time]
because they bother you is a plenty dangerous game if you don't /exactly/
know what you're doing. Hence my basic answer: 'let it be'; maybe not what
you'd like to hear, but it saves losts of $$$ in discussion / security
review / calamities down the line.

[For the monetarily inclined, this subject has been discussed a lot in the
ML before and when you count those emails @ some hourly rate and see what
the result (or rather: the amount of change) is, then calc that cost sum and
compare with X times a slower restart of N servers and the $-quantified
cost, material and immaterial, of that... yeah. Let it be.]


And when you go about 'removing it' anyway, be very very careful WHAT you
remove, because I don't think it's the screen sampling that'll turn out to
eat the cycles on that one box of yours but the heap traversal sys calls
which are part of RAND_poll()/RAND_screen() and they are only a part of the
whole RAND_whatever entropy collecting thing.


Bottom line: commenting out the call(s) to RAND_screen() would quite
definitely turn you out as 'the IIS guy who's related to that Debian guy
y'all heard about before' several months down the line. A slightly 'smarter'
removal would take out that heap walk loop if it /really/ hurts, but
remember... Cave canem! (And this one has a /serious/ bite to it!)



On Wed, Jun 30, 2010 at 4:11 PM, Brian Makin ma...@vivisimo.com wrote:

 I am seeing a very slow initialization on a single Windows 2003 box with
 openssl-0.9.8l.

 During initialization the function RAND_screen gets called.  This
 effectively hashes the frame buffer to generate entropy.  In our case we
 are running as an IIS user and I'm not even sure what screen it's
 getting.

 This function takes on the order of 3 seconds.

 We have other identical boxes which are behaving correctly and a single
 

Re: Slow crypto initialization.

[Dr. Stephen Henson]

On Wed, Jun 30, 2010, Ger Hobbelt wrote:

 :-( I hope I recall correctly that what I mention next is indeed stuff
 happening in RAND_screen()... IIRC RAND_screen() isn't 'only' reading the
 screen but also doing a system-level heap traversal and a few other things
 and it was exactly that system-level heap traversal that slowed a few
 spurious Win boxes down to a snail's pace, so my take is it doing that to
 yours too.

Just a correction. RAND_screen() doesn't perform those other activities such
as heap walking, those happen during the automatic entropy gather on Windows.
There are known issues with Windows 7 and some 64 bit versions of Windows two.

I asked about this and the actual bug is the previous quick behaviour. The
functions apparently need to do a lot of time consuming things which previous
versions of windows didn't handle correctly.

I'd first suggest trying a newer version of OpenSSL such as 0.9.8o which does
include some timing code that halts heap walking if it is taking too long. It
isn't the only source of entropy, there are several others including the
CryptoAPI PRNG.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Slow crypto initialization.

[Dr. Stephen Henson]

On Wed, Jun 30, 2010, Dr. Stephen Henson wrote:

 On Wed, Jun 30, 2010, Ger Hobbelt wrote:
 
  :-( I hope I recall correctly that what I mention next is indeed stuff
  happening in RAND_screen()... IIRC RAND_screen() isn't 'only' reading the
  screen but also doing a system-level heap traversal and a few other things
  and it was exactly that system-level heap traversal that slowed a few
  spurious Win boxes down to a snail's pace, so my take is it doing that to
  yours too.
 
 Just a correction. RAND_screen() doesn't perform those other activities such
 as heap walking, those happen during the automatic entropy gather on Windows.
 There are known issues with Windows 7 and some 64 bit versions of Windows two.
 

Ooops, I should check the code before making statements like that... bugger.

RAND_screen() used to just add the screen. It now also does the auto PRNG
seeding via RAND_poll() as well, though that also happens automatically too.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Slow crypto initialization.

[Brian Makin]

Thank you... this is mostly what I expected.
In our case we having a problem with a CGI program so the response time
is important and initialization happens many times.

We may just have to hope no other boxes display this behavior :)

On Wed, 2010-06-30 at 19:19 +0200, Ger Hobbelt wrote:
 :-( I hope I recall correctly that what I mention next is indeed stuff
 happening in RAND_screen()... IIRC RAND_screen() isn't 'only' reading
 the screen but also doing a system-level heap traversal and a few
 other things and it was exactly that system-level heap traversal that
 slowed a few spurious Win boxes down to a snail's pace, so my take is
 it doing that to yours too.
 Has featured a few times here; there's a a known but quite
 unpredictable issue in the Windows specific heap walking code in there
 (I'd have to check the code to see again which calls it were,
 exactly); there's been a patch to at least limit the scan to an upper
 bound in time and as with anything entropy related, there's always the
 question 'is it really random?' or better: 'is it good enough random?'
 
 The technical (software) part of the issue is that the problem occurs
 only on some machines and is quite unpredictable in where it might pop
 up and when; since OpenSSL accesses some Win-internal structures
 there, which have been documented to some degree, the problem is
 'known' in that we know it can happen, and a few fixes have been added
 to the code to at least limit the bother  to an upper bound, but the
 issue of 'slow' isn't exactly /fixable/: turns out the machine is
 spending all that time inside the Windows OS itself and OpenSSL has no
 control over that, once it's called that one Win API. Some boxes just
 take ages in there for unknown reasons.
 
 
 Depending on what your servers do, the 'making certain' move re
 entropy is to connect a hardware entropy source to the box, but that's
 probably off-topic here (unless it's an IIS webserver working in a
 military/banking setting). Anyway, removing [semi-]entropy
 sources /is/ an option, but it's dangerous as removing them one by one
 in the end delivers zero entropy and we've to thank a Debian fellow
 for [accidentally, but /quite/ noticably] showing everyone what
 happens when you like cleaning up so much you lose a
 suddenly-after-the-fact significant chunk of entropy gathering while
 your streetcred is in the can, permanently.
 
 Personally, I wouldn't even bother about those 3 secs and let it do
 what it wants doing, as they [the 3 secs] only happen at
 library /init/ time, i.e. server [re]start. Of course, there'll be
 plenty who say 'just remove the code', but it gets quite inconclusive
 if you only count the 'votes' from security/cryptography knowledgable
 folks. And, no, that heap walk in RAND_screen() isn't a big source of
 entropy, probably small, rather, but you grab what you can, when you
 don't go the hardware entropy source route: you have to realize that
 you're 'faking' the whole entropy thing right there, all the way, so
 the game isn't about entropy-as-is but about making it bloody dang
 hard for any hacker to predict what your 'random' pool looks like at
 time t. There are no hard and fast answers to the question 'when have
 I done enough gathering?'   And RAND_Screen() does add several chunks
 of unpredictability to that game. Now how many bits of /entropy/ it's
 delivering, I won't (and can't) say (OpenSSL takes a guess, but that's
 all); it's checking several sources and eliminating sources [one at a
 time] because they bother you is a plenty dangerous game if you
 don't /exactly/ know what you're doing. Hence my basic answer: 'let it
 be'; maybe not what you'd like to hear, but it saves losts of $$$ in
 discussion / security review / calamities down the line.
 
 [For the monetarily inclined, this subject has been discussed a lot in
 the ML before and when you count those emails @ some hourly rate and
 see what the result (or rather: the amount of change) is, then calc
 that cost sum and compare with X times a slower restart of N servers
 and the $-quantified cost, material and immaterial, of that... yeah.
 Let it be.]
 
 
 And when you go about 'removing it' anyway, be very very careful WHAT
 you remove, because I don't think it's the screen sampling that'll
 turn out to eat the cycles on that one box of yours but the heap
 traversal sys calls which are part of RAND_poll()/RAND_screen() and
 they are only a part of the whole RAND_whatever entropy collecting
 thing.
 
 
 Bottom line: commenting out the call(s) to RAND_screen() would quite
 definitely turn you out as 'the IIS guy who's related to that Debian
 guy y'all heard about before' several months down the line. A slightly
 'smarter' removal would take out that heap walk loop if it /really/
 hurts, but remember... Cave canem! (And this one has a /serious/ bite
 to it!)
 
 
 
 On Wed, Jun 30, 2010 at 4:11 PM, Brian Makin ma...@vivisimo.com
 wrote:
 I am seeing a very slow initialization on a single 

Re: Slow crypto initialization.

[Brian Makin]

This is Windows 2003, 64 bit, and it's definitely in RAND_screen.
I'm trying to move things to 1.0.0a now.

On Wed, 2010-06-30 at 20:47 +0200, Dr. Stephen Henson wrote:
 On Wed, Jun 30, 2010, Ger Hobbelt wrote:
 
  :-( I hope I recall correctly that what I mention next is indeed stuff
  happening in RAND_screen()... IIRC RAND_screen() isn't 'only' reading the
  screen but also doing a system-level heap traversal and a few other things
  and it was exactly that system-level heap traversal that slowed a few
  spurious Win boxes down to a snail's pace, so my take is it doing that to
  yours too.
 
 Just a correction. RAND_screen() doesn't perform those other activities such
 as heap walking, those happen during the automatic entropy gather on Windows.
 There are known issues with Windows 7 and some 64 bit versions of Windows two.
 
 I asked about this and the actual bug is the previous quick behaviour. The
 functions apparently need to do a lot of time consuming things which previous
 versions of windows didn't handle correctly.
 
 I'd first suggest trying a newer version of OpenSSL such as 0.9.8o which does
 include some timing code that halts heap walking if it is taking too long. It
 isn't the only source of entropy, there are several others including the
 CryptoAPI PRNG.
 
 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org