Heuristically picking # of bits forgnutls_dh_params_generate2
mrsam at courier-mta.com
Sat Dec 10 20:47:29 CET 2011
Kamenik, Aleksander writes:
> Not enough entropry maybe, it's usually quite low on VMs. Input devices and
> network traffic should/might help.
> cat /proc/sys/kernel/random/entropy_avail to check, compare that with the
> host OS.
Thanks, but this is not Linux, and entropy is not the issue here.
> Aleksander Kamenik
> System Administrator
> Krediidiinfo AS
> an Experian Company
> Phone: +372 665 9649
> Email: aleksander at krediidiinfo.ee
> > -----Original Message-----
> > From: help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org
> > [mailto:help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org]
> > On Behalf Of Sam Varshavchik
> > Sent: Saturday, December 10, 2011 6:42 PM
> > To: help-gnutls at gnu.org
> > Subject: Heuristically picking # of bits forgnutls_dh_params_generate2
> > Does anyone happen to know of a good heuristic to come up with some
> > reasonable number of bits at runtime that I can give to
> > gnutls_dh_params_generate2, and have reasonably odds of coming up with
> > a DH pair in, maybe, 5-10 seconds.
> > I was hacking on some code in a 32 bit guest VM, and I thought that I
> > was corrupting something, because gnutls_dh_params_generate2 was
> > seemingly getting stuck, spinning forever. But it turns out that it was
> > really just very, very slow.
> > I don't think it's the VM itself, it seems to run reasonably well to
> > me.
> > Regular compiles get completed at a fairly reasonable pace. I don't
> > know if it's just that gmp is slow on i686, if something is not right
> > with the rnd generator, or something other reason. I'm just used to my
> > native x86-64 bare metal cranking out a key at a good clip. After
> > feeding 2048 bits to
> > gnutls_dh_params_generate2 it cranks something out in only a few
> > seconds.
> > But, for whatever reason may be, flipping over to an i686 guest VM, and
> > gnutls_dh_params_generate2 runs slow as molasses. I'm clocking a 1024
> > bit run of gnutls_dh_params_generate2 to take several minutes long,
> > typically.
> > Sometimes I get lucky, and come up with a 1024-bit based parameter in
> > 5-10 seconds. But my last two runs took a minute and a half, and over
> > three minutes, each, and that's typical. With GNUTLS_SEC_PARAM_NORMAL
> > telling me that I should use 3072 bits, that'll probably take a day.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Gnutls-help