Thanks a lot for the hint with haveged. Installed it and entropy went up by factor 10. Seems that the SSL connections now are back to normal again.
Is there a plausible explanation why starttls has been affected much less by this issue compared to SSL?

Christian Kivalo <ml+dovecot@valo.at> schrieb am Sa., 23. März 2019, 17:09:


On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot <dovecot@dovecot.org> wrote:
>Hello list
>
>we encounter a weird SSL issue with one of our dovecot (2.2.24 on
>Centos6) which we can only explain if our assumtion is correct
>Symptoms are that imaps connections (on port 993) suddenly get veeeery
>slow. Up to 180s for one connection with openssl s_client The thing we
>do not understand is that in the same time imap connections with
>starttls are just 1s.
>We can see that entropy on the affected system is not so high
>
>cat /proc/sys/kernel/random/entropy_avail
>138
>
>So our current theory is: we're running short of entropy but imaps
>connections are much more affected because they are encrypted from
>first
>bit. Whereas a starttls connection has an unencrypted part which
>generates some entropy it does not use. So I can add entropy to the
>system that other connections can use.
>
>We're open for any other theory but for the moment we believe (tm) that
>this is the reason that starttls is far more less affected than SSL
Test your assumption, install haveged and see if that helps
>Cheers
>
>tobi

--
Christian Kivalo