Re: Hundreds of crypto file descriptors for Apache httpd

[Jeffrey Walton <noloader%gmail.com@localhost>]

On Tue, Mar 10, 2020 at 6:57 AM Frank Wille <frank%phoenix.owl.de@localhost> wrote:
>
> Michael van Elst wrote:
>
> >> frank%phoenix.owl.de@localhost (Frank Wille) writes:
> >> [...]
> >> Were do they come from? Is that some kind of leak? What can I do (besides
> >> restarting Apache or the whole server)?
> >
> > Something is using /dev/crypto. openssl would do that, but only if
> > you configure it.
>
> Yes, our web-server is also listening on port 443 for several virtual hosts,
> so SSL is configured.
>
> But is it normal to create more than 200 crypto file descriptors for each
> httpd process? Then I would have to recompile PHP with a larger FD_SETSIZE,
> as it seems?

If it is OpenSSL and /dev/crypto handles, then something sounds a bit
sideways. OpenSSL is supposed to open the device once and share it
internally. From the head notes of engines/e_devcrypto.c:

$ cat engines/e_devcrypto.c
...
/*
 * ONE global file descriptor for all sessions.  This allows operations
 * such as digest session data copying (see digest_copy()), but is also
 * saner...  why re-open /dev/crypto for every session?
 */
static int cfd = -1;

I believe OpenSSL 1.1.1 removed the engine.

If you build OpenSSL 1.1.x from source, I believe no-devcryptoeng will
remove it during configuration.

$ grep -IR devcryptoeng
...
configdata.pm:    "devcryptoeng",
configdata.pm:    "devcryptoeng" => "default",
configdata.pm:    "devcryptoeng" => {
...
INSTALL.md:be disabled with no-devcryptoeng.

I'm not sure what to do with OpenSSL 1.0.2 and earlier.

Jeff