[Pkg-openssl-devel] Bug#912087: openssh-server: Slow startup after the upgrade to 7.9p1

Colin Watson cjwatson at debian.org
Mon Oct 29 00:28:15 GMT 2018 

Control: reassign -1 openssl 1.1.1-1
Control: affects -1 openssh

On Mon, Oct 29, 2018 at 12:48:32AM +0100, Bernhard Übelacker wrote:
> Am 28.10.2018 um 19:23 schrieb Colin Watson:
> > Thanks for the investigation.  (Note also that the OpenSSH version in
> > question is the one that switched from OpenSSL 1.0 to 1.1, which was a
> > big change.)
> > 
> > There were some significant changes in this area in OpenSSL 1.1.1.
> > Would it be possible to try running OpenSSH with OpenSSL 1.1.0h to see
> > if that makes a difference?  Unfortunately this is a little complicated
> > as it will require doing a local build of the Debian OpenSSH source
> > package in order to reduce the dependency; let me know if you need help
> > with setting this up.
> 
> Hello Colin Watson,
> I built a local package OpenSSH 7.9p1-1 against OpenSSL 1.1.0h like
> described in the upper half of attached file.
> This shows an normal start of the ssh service and login is
> immediately after a restart possible,
> running on linux-image-4.18.0-2-amd64 4.18.10-2.
> 
> Because in another bug suggested to test the previous kernel
> with a similar issue with the login manager (that I cannot find right
> now), I reverted back to regular OpenSSH 7.9p1-1 with OpenSSL 1.1.1-1
> and it shows the same delay when runnging with kernel
> linux-image-4.17.0-3-amd64 4.17.17-1.
> 
> Just found the possibly somehow related bug #910504, that proposes
> the installation of rng-tools - but this just fails to start because
> of "Cannot find a hardware RNG device to use.", with OpenSSH 7.9p1-1
> with OpenSSL 1.1.1-1 at linux-image-4.18.0-2-amd64 4.18.10-2.

Thanks for testing; it does look as though this problem is mainly due to
the changes to the OpenSSL random generator in 1.1.1, and the appearance
of it being an OpenSSH regression was caused by OpenSSH switching to
OpenSSL 1.1.x at around the same time.

Reassigning to OpenSSL - could the OpenSSL maintainers please have a
look and advise what's best to do?  (See the start of the bug, reporting
a delay of more than one minute in system boot in some cases, mainly
waiting for sshd to start.)

Thanks,

-- 
Colin Watson                                       [cjwatson at debian.org]

More information about the Pkg-openssl-devel mailing list