Thanks a lot for the hint with haveged. Installed it and entropy went up by factor 10. Seems that the SSL connections now are back to normal again. Is there a plausible explanation why starttls has been affected much less by this issue compared to SSL?
Christian Kivalo ml+dovecot@valo.at schrieb am Sa., 23. März 2019, 17:09:
On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot < dovecot@dovecot.org> wrote:
Hello list
we encounter a weird SSL issue with one of our dovecot (2.2.24 on Centos6) which we can only explain if our assumtion is correct Symptoms are that imaps connections (on port 993) suddenly get veeeery slow. Up to 180s for one connection with openssl s_client The thing we do not understand is that in the same time imap connections with starttls are just 1s. We can see that entropy on the affected system is not so high
cat /proc/sys/kernel/random/entropy_avail 138
So our current theory is: we're running short of entropy but imaps connections are much more affected because they are encrypted from first bit. Whereas a starttls connection has an unencrypted part which generates some entropy it does not use. So I can add entropy to the system that other connections can use.
We're open for any other theory but for the moment we believe (tm) that this is the reason that starttls is far more less affected than SSL Test your assumption, install haveged and see if that helps Cheers
tobi
-- Christian Kivalo