[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#912087: openssh-server: Slow startup after the upgrade to 7.9p1

On Sun, Oct 28, 2018 at 11:41:14AM +0100, Bernhard Übelacker wrote:
> Now it takes some time until that line "random: crng init done"
> appears in dmesg.
> With logging in in the qemu window this line appears just after a
> few seconds, when just trying via ssh it takes much longer.
> 
> 
> I tried to find out where it blocks exactly and came to that location:
> 
> #0  0x00007fb515b1803a in getentropy (buffer=0x56285633d440, length=length@entry=32) at ../sysdeps/unix/sysv/linux/getentropy.c:45
> #1  0x00007fb5161e3603 in syscall_random (buflen=32, buf=<optimized out>) at ../crypto/rand/rand_unix.c:277
> #2  rand_pool_acquire_entropy (pool=pool@entry=0x5628563394e0) at ../crypto/rand/rand_unix.c:469
> #3  0x00007fb5161e2d8d in rand_drbg_get_entropy (drbg=0x562856339e80, pout=0x7ffd1c2bce60, entropy=<optimized out>, min_len=<optimized out>, max_len=<optimized out>, prediction_resistance=0) at ../crypt$
> #4  0x00007fb5161e11b2 in RAND_DRBG_instantiate (drbg=drbg@entry=0x562856339e80, pers=pers@entry=0x7fb516289d20 <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=perslen@entry=28) at ../crypto/$
> #5  0x00007fb5161e21a8 in drbg_setup (parent=parent@entry=0x0) at ../crypto/rand/drbg_lib.c:870
> #6  0x00007fb5161e222f in do_rand_drbg_init () at ../crypto/rand/drbg_lib.c:899
> #7  do_rand_drbg_init_ossl_ () at ../crypto/rand/drbg_lib.c:884
> #8  0x00007fb5150c9827 in __pthread_once_slow (once_control=0x7fb5163118f8 <rand_drbg_init>, init_routine=0x7fb5161e21d0 <do_rand_drbg_init_ossl_>) at pthread_once.c:116
> #9  0x00007fb5150c98e5 in __GI___pthread_once (once_control=once_control@entry=0x7fb5163118f8 <rand_drbg_init>, init_routine=init_routine@entry=0x7fb5161e21d0 <do_rand_drbg_init_ossl_>) at pthread_once.$
> #10 0x00007fb516221329 in CRYPTO_THREAD_run_once (once=once@entry=0x7fb5163118f8 <rand_drbg_init>, init=init@entry=0x7fb5161e21d0 <do_rand_drbg_init_ossl_>) at ../crypto/threads_pthread.c:113
> #11 0x00007fb5161e2327 in RAND_DRBG_get0_master () at ../crypto/rand/drbg_lib.c:1010
> #12 0x00007fb5161e235d in drbg_status () at ../crypto/rand/drbg_lib.c:992
> #13 0x00005628556a253f in seed_rng () at ../../entropy.c:238
> #14 0x000056285564b13c in main (ac=2, av=0x56285631b970) at ../../sshd.c:1696
> 
> Most of the stack is inside /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
> e.g libssl1.1 that got also a new upload at that time.

Thanks for the investigation.  (Note also that the OpenSSH version in
question is the one that switched from OpenSSL 1.0 to 1.1, which was a
big change.)

There were some significant changes in this area in OpenSSL 1.1.1.
Would it be possible to try running OpenSSH with OpenSSL 1.1.0h to see
if that makes a difference?  Unfortunately this is a little complicated
as it will require doing a local build of the Debian OpenSSH source
package in order to reduce the dependency; let me know if you need help
with setting this up.

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: