Hello list we encounter a weird SSL issue with one of our dovecot (2.2.24 on Centos6) which we can only explain if our assumtion is correct Symptoms are that imaps connections (on port 993) suddenly get veeeery slow. Up to 180s for one connection with openssl s_client The thing we do not understand is that in the same time imap connections with starttls are just 1s. We can see that entropy on the affected system is not so high cat /proc/sys/kernel/random/entropy_avail 138 So our current theory is: we're running short of entropy but imaps connections are much more affected because they are encrypted from first bit. Whereas a starttls connection has an unencrypted part which generates some entropy it does not use. So I can add entropy to the system that other connections can use. We're open for any other theory but for the moment we believe (tm) that this is the reason that starttls is far more less affected than SSL Cheers tobi
On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot <dovecot at dovecot.org> wrote:>Hello list > >we encounter a weird SSL issue with one of our dovecot (2.2.24 on >Centos6) which we can only explain if our assumtion is correct >Symptoms are that imaps connections (on port 993) suddenly get veeeery >slow. Up to 180s for one connection with openssl s_client The thing we >do not understand is that in the same time imap connections with >starttls are just 1s. >We can see that entropy on the affected system is not so high > >cat /proc/sys/kernel/random/entropy_avail >138 > >So our current theory is: we're running short of entropy but imaps >connections are much more affected because they are encrypted from >first >bit. Whereas a starttls connection has an unencrypted part which >generates some entropy it does not use. So I can add entropy to the >system that other connections can use. > >We're open for any other theory but for the moment we believe (tm) that >this is the reason that starttls is far more less affected than SSLTest your assumption, install haveged and see if that helps>Cheers > >tobi-- Christian Kivalo
Thanks a lot for the hint with haveged. Installed it and entropy went up by factor 10. Seems that the SSL connections now are back to normal again. Is there a plausible explanation why starttls has been affected much less by this issue compared to SSL? Christian Kivalo <ml+dovecot at valo.at> schrieb am Sa., 23. M?rz 2019, 17:09:> > > On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot < > dovecot at dovecot.org> wrote: > >Hello list > > > >we encounter a weird SSL issue with one of our dovecot (2.2.24 on > >Centos6) which we can only explain if our assumtion is correct > >Symptoms are that imaps connections (on port 993) suddenly get veeeery > >slow. Up to 180s for one connection with openssl s_client The thing we > >do not understand is that in the same time imap connections with > >starttls are just 1s. > >We can see that entropy on the affected system is not so high > > > >cat /proc/sys/kernel/random/entropy_avail > >138 > > > >So our current theory is: we're running short of entropy but imaps > >connections are much more affected because they are encrypted from > >first > >bit. Whereas a starttls connection has an unencrypted part which > >generates some entropy it does not use. So I can add entropy to the > >system that other connections can use. > > > >We're open for any other theory but for the moment we believe (tm) that > >this is the reason that starttls is far more less affected than SSL > Test your assumption, install haveged and see if that helps > >Cheers > > > >tobi > > -- > Christian Kivalo >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190324/a800f278/attachment.html>