On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot <dovecot@dovecot.org> wrote:
>Hello list
>
>we encounter a weird SSL issue with one of our dovecot (2.2.24 on
>Centos6) which we can only explain if our assumtion is correct
>Symptoms are that imaps connections (on port 993) suddenly get veeeery
>slow. Up to 180s for one connection with openssl s_client The thing we
>do not understand is that in the same time imap connections with
>starttls are just 1s.
>We can see that entropy on the affected system is not so high
>
>cat /proc/sys/kernel/random/entropy_avail
>138
>
>So our current theory is: we're running short of entropy but imaps
>connections are much more affected because they are encrypted from
>first
>bit. Whereas a starttls connection has an unencrypted part which
>generates some entropy it does not use. So I can add entropy to the
>system that other connections can use.
>
>We're open for any other theory but for the moment we believe (tm) that
>this is the reason that starttls is far more less affected than SSL
Test your assumption, install haveged and see if that helps
>Cheers
>
>tobi
--
Christian Kivalo