Is this assumption correct?

Tobi Schindler tobisworld at gmail.com
Sun Mar 24 16:10:55 EET 2019


Thanks a lot for the hint with haveged. Installed it and entropy went up by
factor 10. Seems that the SSL connections now are back to normal again.
Is there a plausible explanation why starttls has been affected much less
by this issue compared to SSL?

Christian Kivalo <ml+dovecot at valo.at> schrieb am Sa., 23. März 2019, 17:09:

>
>
> On March 23, 2019 12:39:13 PM GMT+01:00, Tobi via dovecot <
> dovecot at dovecot.org> wrote:
> >Hello list
> >
> >we encounter a weird SSL issue with one of our dovecot (2.2.24 on
> >Centos6) which we can only explain if our assumtion is correct
> >Symptoms are that imaps connections (on port 993) suddenly get veeeery
> >slow. Up to 180s for one connection with openssl s_client The thing we
> >do not understand is that in the same time imap connections with
> >starttls are just 1s.
> >We can see that entropy on the affected system is not so high
> >
> >cat /proc/sys/kernel/random/entropy_avail
> >138
> >
> >So our current theory is: we're running short of entropy but imaps
> >connections are much more affected because they are encrypted from
> >first
> >bit. Whereas a starttls connection has an unencrypted part which
> >generates some entropy it does not use. So I can add entropy to the
> >system that other connections can use.
> >
> >We're open for any other theory but for the moment we believe (tm) that
> >this is the reason that starttls is far more less affected than SSL
> Test your assumption, install haveged and see if that helps
> >Cheers
> >
> >tobi
>
> --
> Christian Kivalo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190324/a800f278/attachment.html>


More information about the dovecot mailing list