Bug 1025554 - generating keys using dnssec-keygen is very slow
generating keys using dnssec-keygen is very slow
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-31 17:24 EDT by Jan Včelák
Modified: 2013-11-01 08:57 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-01 05:35:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Včelák 2013-10-31 17:24:22 EDT
Description of problem:

Generating of RSASHA1 keys is very slow since openssl upgrade.

It seems that last working version is openssl-1.0.1e-4.fc19.1.x86_64


Version-Release number of selected component (if applicable):
openssl-1.0.1e-30.fc19


How reproducible:
always


Steps to Reproduce:
1. dnssec-keygen example.com
2.
3.

Actual results:
It takes minutes to generate the key.


Expected results:
It takes less than a second to generate the key.


Additional info:
Comment 1 Tomas Mraz 2013-11-01 05:35:39 EDT
This is actually a fixed bug. dnssec-keygen changes RNG in OpenSSL so it reads random numbers directly from /dev/random. There was a bug in the old openssl builds that made OpenSSL to ignore the RNG engine modification.

You can use -r /dev/urandom to speed the key generation up.
Comment 2 Jan Včelák 2013-11-01 05:53:00 EDT
I see. Does it mean that /dev/urandom was used before the fix? Are the keys generated before less secure?
Comment 3 Tomas Mraz 2013-11-01 06:09:11 EDT
Yes, to the first question. To the second question - theoretically they are less secure, but in practice this is not a real problem unless you generate the keys on a machine that has almost no entropy source and do it immediately after installation. As there always is at least some entropy source and the previous RNG state is saved and reloaded on reboot the keys generated after some time of the machine running after installation should be secure enough.

Note that for example ssh-keygen uses the /dev/urandom as well.

Using /dev/random is in general not recommended unless you have a fast entropy source - possibly hardware one. And even more the dnssec-keygen does it in a wrong way because it reads much more random bytes than necessary from the /dev/random.
Comment 4 Jan Včelák 2013-11-01 08:57:32 EDT
Great explanation. Thank you! I'm fine with that.

Note You need to log in before you can comment on or make changes to this bug.