[gnutls-dev] Speed of random data generation
Andreas Metzler
ametzler at downhill.at.eu.org
Wed Jun 13 19:45:39 CEST 2007
On 2007-06-13 Alex Hudson <home at alexhudson.com> wrote:
[...]
> * we create Diffie-Hellman parameters using
> gnutls_dh_params_{init|generate2}, and save that to a file;
> * we create RSA parameters using a similar process;
> * we create a public/private keyset for the various server
> sockets.
> Now, the problem we have is that during setup, it can take a long time
> to create all that data. The problem seems to be entirely entropy
> starvation - and is particularly bad on headless server-type equipment.
[...]
> Our project did use OpenSSL at one stage, and that seemed to work fine.
Hello,
OpenSSL usually is built to use /dev/urandom instead of /dev/random
which does not block if you are out of entropy.
OpenSSL also simply seems pulls less bytes from the device for doing
the same thing. "certtool --generate-dh-params --bits 1024" almost
completely depletes the entropy pool, (down from 3596 to 143 bytes[1]
according to /proc/sys/kernel/random/entropy_avail, while the
equivalen "openssl gendh 1024" only takes 237 bytes but takes a little
bit more of raw computing power.
cu andreas
[1] No idea whether the unit actually *is* bytes. ;-)
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list