View Issue Details

IDProjectCategoryView StatusLast Update
0036045FPCPackagespublic2019-09-07 15:35
ReporterPavol S Assigned ToMichael Van Canneyt  
Status resolvedResolutionfixed 
Product Version3.0.4 
Fixed in Version3.3.1 
Summary0036045: OpenSSL calling extremly slow RandScreen due InitSSLInterface
DescriptionIn openssl.pas there is calling _RandScreen :

function InitSSLInterface: Boolean;

    if assigned(_RandScreen) then

This is extremly painful because it take 1-2 sec. to get this random numbers from screen on modern machine and nobody use it with TFPHTTPClient...
Steps To Reproduceuses
    sslsockets, ssockets, fphttpclient;

HTTP := TFPHTTPClient.Create(Nil);
HTTP.HTTPMethod( 'GET', '', Response, []);
// wait long time for first openssl init ...


Fixed in Revision42931
Attached Files



2019-09-04 08:25

reporter   ~0117945

Using RAND_screen is a very bad choice:
1. The RAND_screen() function is available for the convenience of Windows programmers. It adds the current contents of the screen to the PRNG. For applications that can catch Windows events, seeding the PRNG by calling RAND_event() is a significantly better source of randomness.
---> It should be noted that both methods cannot be used on servers that run without user interaction. <---

2. RAND_event() and RAND_screen() are deprecated since OpenSSL 1.1.0.


2019-09-04 08:40

reporter   ~0117946

OpenSSL 1.1.1+:
These functions can be used to seed the random generator and to check its seeded state. In general, manual (re-)seeding of the default OpenSSL random generator (RAND_OpenSSL(3)) is not necessary (but allowed), since it does (re-)seed itself automatically using trusted system entropy sources. This holds unless the default RAND_METHOD has been replaced or OpenSSL was built with automatic reseeding disabled, see RAND(7) for more details.
-> Maybe just call RAND_poll (or code below)

OpenSSL 1.1.0 and older:
RandomArray: array[0..9] of Cardinal;
i: Integer;
for i := Low(RandomArray) to High(RandomArray)
  RandomArray[i] := RandomRange(Low(Cardinal), High(Cardinal));

RAND_seed(@RandomArray, Length(RandomArray));

Pavol S

2019-09-04 15:13

reporter   ~0117952

Yes it's deprecated and under windows extremly slowdown application start (two times). It's possible to remove this call in InitSSLInterface from FPC?

Michael Van Canneyt

2019-09-07 15:35

administrator   ~0117969

Removed the call in initssllibrary, marked RandScreen as deprecated.

Issue History

Date Modified Username Field Change
2019-09-03 23:22 Pavol S New Issue
2019-09-03 23:23 Pavol S Tag Attached: windows
2019-09-04 08:25 rd0x Note Added: 0117945
2019-09-04 08:40 rd0x Note Added: 0117946
2019-09-04 15:13 Pavol S Note Added: 0117952
2019-09-07 15:35 Michael Van Canneyt Assigned To => Michael Van Canneyt
2019-09-07 15:35 Michael Van Canneyt Status new => resolved
2019-09-07 15:35 Michael Van Canneyt Resolution open => fixed
2019-09-07 15:35 Michael Van Canneyt Fixed in Version => 3.3.1
2019-09-07 15:35 Michael Van Canneyt Fixed in Revision => 42931
2019-09-07 15:35 Michael Van Canneyt FPCTarget => 3.2.0
2019-09-07 15:35 Michael Van Canneyt Note Added: 0117969