View Issue Details

IDProjectCategoryView StatusLast Update
0036045FPCPackagespublic2019-09-07 15:35
ReporterPavol SAssigned ToMichael Van Canneyt 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformWin32/64OSWindowsOS Version10
Product Version3.0.4Product Build 
Target VersionFixed in Version3.3.1 
Summary0036045: OpenSSL calling extremly slow RandScreen due InitSSLInterface
DescriptionIn openssl.pas there is calling _RandScreen :

function InitSSLInterface: Boolean;
begin
  Result:=SSLLoaded;
...

    if assigned(_RandScreen) then
      _RandScreen;
...

This is extremly painful because it take 1-2 sec. to get this random numbers from screen on modern machine and nobody use it with TFPHTTPClient...
Steps To Reproduceuses
    sslsockets, ssockets, fphttpclient;

begin
HTTP := TFPHTTPClient.Create(Nil);
HTTP.HTTPMethod( 'GET', 'https://somecool.api.com', Response, []);
// wait long time for first openssl init ...

...

end.
Tagswindows
Fixed in Revision42931
FPCOldBugId
FPCTarget3.2.0
Attached Files

Activities

rd0x

2019-09-04 08:25

reporter   ~0117945

Using RAND_screen is a very bad choice:
1. The RAND_screen() function is available for the convenience of Windows programmers. It adds the current contents of the screen to the PRNG. For applications that can catch Windows events, seeding the PRNG by calling RAND_event() is a significantly better source of randomness.
---> It should be noted that both methods cannot be used on servers that run without user interaction. <---

2. RAND_event() and RAND_screen() are deprecated since OpenSSL 1.1.0.

rd0x

2019-09-04 08:40

reporter   ~0117946

OpenSSL 1.1.1+:
These functions can be used to seed the random generator and to check its seeded state. In general, manual (re-)seeding of the default OpenSSL random generator (RAND_OpenSSL(3)) is not necessary (but allowed), since it does (re-)seed itself automatically using trusted system entropy sources. This holds unless the default RAND_METHOD has been replaced or OpenSSL was built with automatic reseeding disabled, see RAND(7) for more details.
-> Maybe just call RAND_poll (or code below)

OpenSSL 1.1.0 and older:
var
RandomArray: array[0..9] of Cardinal;
i: Integer;
begin
...
for i := Low(RandomArray) to High(RandomArray)
  RandomArray[i] := RandomRange(Low(Cardinal), High(Cardinal));

RAND_seed(@RandomArray, Length(RandomArray));
...

Pavol S

2019-09-04 15:13

reporter   ~0117952

Yes it's deprecated and under windows extremly slowdown application start (two times). It's possible to remove this call in InitSSLInterface from FPC?

Michael Van Canneyt

2019-09-07 15:35

administrator   ~0117969

Removed the call in initssllibrary, marked RandScreen as deprecated.

Issue History

Date Modified Username Field Change
2019-09-03 23:22 Pavol S New Issue
2019-09-03 23:23 Pavol S Tag Attached: windows
2019-09-04 08:25 rd0x Note Added: 0117945
2019-09-04 08:40 rd0x Note Added: 0117946
2019-09-04 15:13 Pavol S Note Added: 0117952
2019-09-07 15:35 Michael Van Canneyt Assigned To => Michael Van Canneyt
2019-09-07 15:35 Michael Van Canneyt Status new => resolved
2019-09-07 15:35 Michael Van Canneyt Resolution open => fixed
2019-09-07 15:35 Michael Van Canneyt Fixed in Version => 3.3.1
2019-09-07 15:35 Michael Van Canneyt Fixed in Revision => 42931
2019-09-07 15:35 Michael Van Canneyt FPCTarget => 3.2.0
2019-09-07 15:35 Michael Van Canneyt Note Added: 0117969