Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Significant performance degradation for OpenSSL::Cipher#random_iv #4644

Closed
vassilios opened this issue Jun 2, 2017 · 6 comments
Closed

Significant performance degradation for OpenSSL::Cipher#random_iv #4644

vassilios opened this issue Jun 2, 2017 · 6 comments
Labels
openssl performance
Milestone
Invalid or Duplicate

Comments

@vassilios
Copy link

Environment

  • JRuby version
    jruby 9.1.10.0 (2.3.3) 2017-05-25 b09c48a OpenJDK 64-Bit Server VM 25.72-b15 on 1.8.0_72-internal-b15 +jit [linux-x86_64]

  • Operating system and platform
    Linux ip-172-30-3-223 3.13.0-74-generic Bump compilation heap size for jruby-1_6 #118-Ubuntu SMP Thu Dec 17 22:52:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Expected Behavior

  • On jruby 9.1.5.0, OpenSSL::Cipher#random_iv is in the order of milliseconds
$ jruby -v
jruby 9.1.5.0 (2.3.1) 2016-09-07 036ce39 OpenJDK 64-Bit Server VM 25.72-b15 on 1.8.0_72-internal-b15 +jit [linux-x86_64]

$ jruby test_openssl.rb
       user     system      total        real
   0.120000   0.000000   0.120000 (  0.036478)
   0.020000   0.000000   0.020000 (  0.005314)
   0.010000   0.000000   0.010000 (  0.004749)
   0.010000   0.000000   0.010000 (  0.003048)
   0.010000   0.000000   0.010000 (  0.003130)
   0.020000   0.000000   0.020000 (  0.004657)
   0.020000   0.000000   0.020000 (  0.004773)
   0.020000   0.000000   0.020000 (  0.004274)
   0.010000   0.000000   0.010000 (  0.004260)
   0.010000   0.000000   0.010000 (  0.004021)

Actual Behavior

  • On jruby 9.1.10.0, OpenSSL::Cipher#random_iv is in the order of tens of seconds
$ jruby -v
jruby 9.1.10.0 (2.3.3) 2017-05-25 b09c48a OpenJDK 64-Bit Server VM 25.72-b15 on 1.8.0_72-internal-b15 +jit [linux-x86_64]

$ jruby test_openssl.rb
       user     system      total        real
   0.390000   0.000000   0.390000 ( 14.917977)
   0.170000   0.000000   0.170000 ( 23.454388)
   0.010000   0.000000   0.010000 ( 17.455278)
   0.010000   0.000000   0.010000 ( 15.274974)
   0.020000   0.000000   0.020000 ( 53.286245)
   0.040000   0.000000   0.040000 ( 34.719270)
   0.010000   0.000000   0.010000 ( 20.832769)
   0.010000   0.000000   0.010000 ( 39.318422)
   0.010000   0.000000   0.010000 ( 20.298205)
   0.010000   0.000000   0.010000 ( 33.863245)
``
@Freaky
Copy link
Contributor

Freaky commented Jun 2, 2017

Your Linux box looks low on entropy. This is something of a silly concept, so try setting the JVM to use /dev/urandom for SecureRandom instead:

Locate $JAVA_HOME/jre/lib/security/java.security and set securerandom.source= to file:/dev/urandom.

@vassilios
Copy link
Author

Thank you @Freaky that helps.
After changing the securerandom.source= to file:/dev/urandom the times are back to normal (see below).

Any idea why jruby 9.1.5.0 does not require setting the securerandom.source= to file:/dev/urandom ?
In other words, why is it that OpenSSL::Cipher#random_iv in 9.1.5.0 is indifferent to the low entropy of my linux box, while in 9.1.10.0 it isn't?

$ jruby -v
jruby 9.1.10.0 (2.3.3) 2017-05-25 b09c48a OpenJDK 64-Bit Server VM 25.72-b15 on 1.8.0_72-internal-b15 +jit [linux-x86_64]
$ jruby test_openssl.rb
       user     system      total        real
   0.120000   0.000000   0.120000 (  0.037147)
   0.000000   0.000000   0.000000 (  0.000913)
   0.000000   0.000000   0.000000 (  0.000801)
   0.010000   0.000000   0.010000 (  0.000701)
   0.000000   0.000000   0.000000 (  0.000692)
   0.010000   0.000000   0.010000 (  0.000709)
   0.000000   0.000000   0.000000 (  0.000708)
   0.010000   0.000000   0.010000 (  0.000705)
   0.000000   0.000000   0.000000 (  0.000709)
   0.010000   0.000000   0.010000 (  0.000715)

@kares
Copy link
Member

kares commented Jun 3, 2017

without going to much details its because there's an updated jruby-openssl with a newer bouncy-castle ... JOSSL prefers RG from BC when available (and there's a new one that seems to always initializes itself using the JVM entropy source).

@kares kares closed this as completed Jun 3, 2017
@kares kares added this to the Invalid or Duplicate milestone Jun 3, 2017
@kares kares mentioned this issue Jun 5, 2017
Closed
@headius
Copy link
Member

headius commented Jun 6, 2017

Nobody mentioned another possible workaround: install and run an entropy service like haveged. See https://github.com/jruby/jruby/wiki/Improving-startup-time#ensure-your-system-has-adequate-entropy

@vassilios
Copy link
Author

@kares, @headius thank you for your responses

@kares
Copy link
Member

kares commented Jun 6, 2017

also apt install rng-tools is expected to help on Debian-like machines, although not sure for virtual envs.

@BrunoChauvet BrunoChauvet mentioned this issue Jun 8, 2017
Merged
varyonic added a commit to varyonic/activeadmin-rails that referenced this issue Jun 13, 2017
@varyonic
Revert activeadmin#4850: using —dev improves startup time at the expe…
4c1d5a2 
…nse of long-running code speed

Try non-default entropy source as suggested in jruby/jruby#4644
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl performance
Projects
None yet
Milestone
Invalid or Duplicate
Development

No branches or pull requests
4 participants
@headius @kares @Freaky @vassilios