Re: Hundreds of crypto file descriptors for Apache httpd

To: Michael van Elst <mlelstv%serpens.de@localhost>
Subject: Re: Hundreds of crypto file descriptors for Apache httpd
From: matthew sporleder <msporleder%gmail.com@localhost>
Date: Tue, 10 Mar 2020 11:13:32 -0400

On Tue, Mar 10, 2020 at 10:59 AM Michael van Elst <mlelstv%serpens.de@localhost> wrote:
>
> frank%phoenix.owl.de@localhost (Frank Wille) writes:
>
> >> Something is using /dev/crypto. openssl would do that, but only if
> >> you configure it.
>
> >Yes, our web-server is also listening on port 443 for several virtual hosts,
> >so SSL is configured.
>
> It's not just SSL. openssl has its own crypto routines and you would only
> use /dev/crypto when you want to use some accelerator hardware that can only
> be accessed by a kernel driver.
>
> The problem here seems to be that the devcrypto engine is builtin and openssl
> just loads every builtin engine with no knob to control that behaviour.
>
> I think the only option you have now is to prevent access to /dev/crypto.
>


https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcryptodevice
 could potentially override the use of that engine (if I'm
understanding things correctly).

The 200+ FDs might be one per apache child (if running prefork)?

Follow-Ups:
- Re: Hundreds of crypto file descriptors for Apache httpd
  - From: Michael van Elst

References:
- Re: Hundreds of crypto file descriptors for Apache httpd
  - From: Frank Wille
- Re: Hundreds of crypto file descriptors for Apache httpd
  - From: Michael van Elst

Prev by Date: Re: Hundreds of crypto file descriptors for Apache httpd
Next by Date: Re: Virtio, Netbsd 9.0 and Virtualbox
Previous by Thread: Re: Hundreds of crypto file descriptors for Apache httpd
Next by Thread: Re: Hundreds of crypto file descriptors for Apache httpd
Indexes:

Home | Main Index | Thread Index | Old Index