You are not logged in.
Pages: 1
I'm not sure what wrong with my network setting, SSL handshake take really long time to completed (about 5-20s).
This did not happen with my other devices (Android and Windows).
Here is 2 same curl commands run on my laptop (ArchLinux) and my router (which it my laptop connected to using wifi). As you can see it takes 7 seconds from client hello to server hello on my laptop. This can takes upto 20s in worst case.
I'm happy to provide any info if needed.
Laptop:
time curl -v --trace-time "https://archlinux.org"
21:03:03.946844 * Host archlinux.org:443 was resolved.
21:03:03.947004 * IPv6: 2a01:4f9:c010:6b1f::1
21:03:03.947076 * IPv4: 95.217.163.246
21:03:03.947203 * Trying [2a01:4f9:c010:6b1f::1]:443...
21:03:03.947374 * Immediate connect fail for 2a01:4f9:c010:6b1f::1: Network is unreachable
21:03:03.947444 * Trying 95.217.163.246:443...
21:03:04.250310 * ALPN: curl offers h2,http/1.1
21:03:04.250461 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:03:04.255885 * CAfile: /etc/ssl/certs/ca-certificates.crt
21:03:04.255912 * CApath: none
21:03:11.934849 * TLSv1.3 (IN), TLS handshake, Server hello (2):
21:03:11.935253 * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
21:03:11.935307 * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
21:03:12.216345 * TLSv1.3 (IN), TLS handshake, Certificate (11):
21:03:12.217908 * TLSv1.3 (IN), TLS handshake, CERT verify (15):
21:03:12.218019 * TLSv1.3 (IN), TLS handshake, Finished (20):
21:03:12.218063 * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
21:03:12.218089 * TLSv1.3 (OUT), TLS handshake, Finished (20):
21:03:12.218131 * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
21:03:12.218157 * ALPN: server accepted h2
21:03:12.218180 * Server certificate:
21:03:12.218206 * subject: CN=archlinux.org
21:03:12.218225 * start date: Nov 18 20:34:37 2024 GMT
21:03:12.218243 * expire date: Feb 16 20:34:36 2025 GMT
21:03:12.218269 * subjectAltName: host "archlinux.org" matched cert's "archlinux.org"
21:03:12.218289 * issuer: C=US; O=Let's Encrypt; CN=E6
21:03:12.218310 * SSL certificate verify ok.
21:03:12.218334 * Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
21:03:12.218356 * Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
21:03:12.218379 * Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
21:03:12.218416 * Connected to archlinux.org (95.217.163.246) port 443
21:03:12.218437 * using HTTP/2
21:03:12.218472 * [HTTP/2] [1] OPENED stream for https://archlinux.org/
21:03:12.218492 * [HTTP/2] [1] [:method: GET]
21:03:12.218512 * [HTTP/2] [1] [:scheme: https]
21:03:12.218534 * [HTTP/2] [1] [:authority: archlinux.org]
21:03:12.218555 * [HTTP/2] [1] [:path: /]
21:03:12.218572 * [HTTP/2] [1] [user-agent: curl/8.11.0]
21:03:12.218595 * [HTTP/2] [1] [accept: */*]
21:03:12.218634 > GET / HTTP/2
21:03:12.218634 > Host: archlinux.org
21:03:12.218634 > User-Agent: curl/8.11.0
21:03:12.218634 > Accept: */*
21:03:12.218634 >
21:03:12.218744 * Request completely sent off
21:03:12.489038 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
21:03:12.489157 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
21:03:12.489249 < HTTP/2 200
21:03:12.489292 < server: nginx
21:03:12.489338 < date: Sat, 30 Nov 2024 14:03:11 GMT
21:03:12.489379 < content-type: text/html; charset=utf-8
21:03:12.489424 < content-length: 25968
21:03:12.489469 < cache-control: max-age=307
21:03:12.489517 < content-security-policy: default-src 'self'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; script-src 'self'
21:03:12.489561 < etag: "1c2fc08539fbf0dd267f18e09ca7cec4"
21:03:12.489606 < x-content-type-options: nosniff
21:03:12.489650 < referrer-policy: strict-origin
21:03:12.489695 < cross-origin-opener-policy: same-origin
21:03:12.489735 < x-frame-options: DENY
21:03:12.489781 < vary: Cookie
21:03:12.489828 < strict-transport-security: max-age=31536000; includeSubdomains; preload
21:03:12.489870 < alt-svc: h3=":443"; ma=3600
21:03:12.489918 < x-cache-status: HIT
<http response stripped out>
21:03:13.434858 * Connection #0 to host archlinux.org left intact
________________________________________________________
Executed in 9.61 secs fish external
usr time 10.96 millis 0.00 micros 10.96 millis
sys time 11.68 millis 749.00 micros 10.93 millisRouter:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 021:19:10.654697 } [5 bytes data]
21:19:10.655051 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:19:10.655132 } [512 bytes data]
21:19:10.923519 * TLSv1.3 (IN), TLS handshake, Server hello (2):
21:19:10.923616 { [122 bytes data]
21:19:10.931787 * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
21:19:10.931871 { [25 bytes data]
21:19:10.932355 * TLSv1.3 (IN), TLS handshake, Certificate (11):
21:19:10.932429 { [2161 bytes data]
21:19:10.987382 * TLSv1.3 (IN), TLS handshake, CERT verify (15):
21:19:10.987493 { [78 bytes data]
21:19:11.003427 * TLSv1.3 (IN), TLS handshake, Finished (20):
21:19:11.003518 { [36 bytes data]
21:19:11.004097 * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
21:19:11.004197 } [1 bytes data]
21:19:11.004694 * TLSv1.3 (OUT), TLS handshake, Finished (20):
21:19:11.004769 } [36 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 021:19:11.006354 > GET / HTTP/1.1
21:19:11.006354 > Host: archlinux.org
21:19:11.006354 > User-Agent: curl/8.4.0
21:19:11.006354 > Accept: */*
21:19:11.006354 >
21:19:11.538048 { [5 bytes data]
21:19:11.538524 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
21:19:11.538607 { [57 bytes data]
21:19:11.539464 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
21:19:11.539564 { [57 bytes data]
21:19:11.541293 < HTTP/1.1 200 OK
21:19:11.541435 < Server: nginx
21:19:11.541530 < Date: Sat, 30 Nov 2024 14:19:11 GMT
21:19:11.541618 < Content-Type: text/html; charset=utf-8
21:19:11.541726 < Content-Length: 25968
21:19:11.541815 < Connection: keep-alive
21:19:11.541898 < Cache-Control: max-age=307
21:19:11.541989 < Content-Security-Policy: default-src 'self'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; script-src 'self'
21:19:11.542072 < ETag: "1c2fc08539fbf0dd267f18e09ca7cec4"
21:19:11.542154 < X-Content-Type-Options: nosniff
21:19:11.542237 < Referrer-Policy: strict-origin
21:19:11.542321 < Cross-Origin-Opener-Policy: same-origin
21:19:11.542405 < X-Frame-Options: DENY
21:19:11.542486 < Vary: Cookie
21:19:11.542589 < Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
21:19:11.542676 < Alt-Svc: h3=":443"; ma=3600
21:19:11.542758 < X-Cache-Status: HIT
100 25968 100 25968 0 0 18184 0 0:00:01 0:00:01 --:--:-- 18210
real 0m 1.46s
user 0m 0.13s
sys 0m 0.00sOffline
one of the devices seem to run out of entropy and hence have to wait for enough entropy collected to properly seed the RNG
Offline
But this happens really frequently, may be some hardware issue?
Can I do anything about it?
here is my hardware info if it helps
OS: Arch Linux x86_64
Host: 21HY (ThinkBook 14 G5+ ARP)
Bios (UEFI): LECN18WW (1.18)
Bootmgr: Linux Boot Manager - systemd-bootx64.efi
Board: LNVNB161216 (SDK0T76479 WIN)
CPU: AMD Ryzen 7 7735H (16) @ 4.83 GHz - 50.9°C 1.133ms
CPU Cache (L1): 8x32.00 KiB (D), 8x32.00 KiB (I)
CPU Cache (L2): 8x512.00 KiB (U)
CPU Cache (L3): 16.00 MiB (U) 2.608ms
CPU Usage: 5% 200.432ms
GPU: AMD Radeon 680M (12) @ 2.20 GHz - 47.0°C [Integrated] 5.136ms
Chassis: Notebook (ThinkBook 14 G5+ ARP) 0.035ms
Kernel: Linux 6.12.1-arch1-1 0.008ms
Init System: systemd 256.8-2-arch 0.290mAnd lscpi -k output
lspci -k
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Root Complex (rev 01)
Subsystem: Lenovo Device 3819
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Family 17h-19h IOMMU
Subsystem: Lenovo Device 3816
00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Dummy Host Bridge (rev 01)
00:01.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe GPP Bridge
Subsystem: Advanced Micro Devices, Inc. [AMD] Device 1453
Kernel driver in use: pcieport
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Dummy Host Bridge (rev 01)
00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe GPP Bridge
Subsystem: Advanced Micro Devices, Inc. [AMD] Device 1453
Kernel driver in use: pcieport
00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe GPP Bridge
Subsystem: Advanced Micro Devices, Inc. [AMD] Device 1453
Kernel driver in use: pcieport
00:02.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe GPP Bridge
Subsystem: Advanced Micro Devices, Inc. [AMD] Device 1453
Kernel driver in use: pcieport
00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Dummy Host Bridge (rev 01)
00:03.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 19h USB4/Thunderbolt PCIe tunnel
Subsystem: Advanced Micro Devices, Inc. [AMD] Device 1453
Kernel driver in use: pcieport
00:04.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Dummy Host Bridge (rev 01)
00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h PCIe Dummy Host Bridge (rev 01)
00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h Internal PCIe GPP Bridge (rev 10)
Subsystem: Advanced Micro Devices, Inc. [AMD] Family 17h-19h Internal PCIe GPP Bridge
Kernel driver in use: pcieport
00:08.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h-19h Internal PCIe GPP Bridge (rev 10)
pcilib: Error reading /sys/bus/pci/devices/0000:00:08.3/label: Operation not permitted
Subsystem: Advanced Micro Devices, Inc. [AMD] Family 17h-19h Internal PCIe GPP Bridge
Kernel driver in use: pcieport
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 71)
Subsystem: Lenovo Device 3882
Kernel driver in use: piix4_smbus
Kernel modules: i2c_piix4, sp5100_tco
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51)
Subsystem: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 0
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 3
Kernel driver in use: k10temp
Kernel modules: k10temp
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 5
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 6
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Rembrandt Data Fabric: Device 18h; Function 7
01:00.0 Non-Volatile memory controller: Micron Technology Inc 3400 NVMe SSD [Hendrix]
Subsystem: Micron Technology Inc Device 0100
Kernel driver in use: nvme
Kernel modules: nvme
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller (rev 15)
Subsystem: Lenovo Device 3951
Kernel driver in use: r8169
Kernel modules: r8169
03:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8852BE PCIe 802.11ax Wireless Network Controller
DeviceName: Realtek
Subsystem: Lenovo Device 4853
Kernel driver in use: rtw89_8852be
Kernel modules: rtw89_8852be
04:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS522A PCI Express Card Reader (rev 01)
Subsystem: Realtek Semiconductor Co., Ltd. RTS522A PCI Express Card Reader
Kernel driver in use: rtsx_pci
Kernel modules: rtsx_pci
74:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [Radeon 680M] (rev 06)
Subsystem: Lenovo Device 3815
Kernel driver in use: amdgpu
Kernel modules: amdgpu
74:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt Radeon High Definition Audio Controller
Subsystem: Lenovo Device 3817
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
74:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 19h PSP/CCP
Subsystem: Lenovo Device 3832
Kernel driver in use: ccp
Kernel modules: ccp
74:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #3
Subsystem: Lenovo Device 3803
Kernel driver in use: xhci_hcd
74:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #4
Subsystem: Lenovo Device 3805
Kernel driver in use: xhci_hcd
74:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor (rev 60)
Subsystem: Lenovo Device 3870
Kernel driver in use: snd_pci_acp6x
Kernel modules: snd_pci_acp3x, snd_rn_pci_acp3x, snd_pci_acp5x, snd_pci_acp6x, snd_acp_pci, snd_rpl_pci_acp6x, snd_pci_ps, snd_sof_amd_renoir, snd_sof_amd_rembrandt, snd_sof_amd_vangogh, snd_sof_amd_acp63, snd_sof_amd_acp70
74:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller
Subsystem: Lenovo Device 386a
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
75:00.0 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #8
Subsystem: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #8
Kernel driver in use: xhci_hcd
75:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #5
Subsystem: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #5
Kernel driver in use: xhci_hcd
75:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #6
Subsystem: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4 XHCI controller #6
Kernel driver in use: xhci_hcd
75:00.5 USB controller: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4/Thunderbolt NHI controller #1
Subsystem: Advanced Micro Devices, Inc. [AMD] Rembrandt USB4/Thunderbolt NHI controller #1
Kernel driver in use: thunderbolt
Kernel modules: thunderboltOffline
a system running out of entropy can happen due to two things:
a) too much entropy is used up
b) not enough entropy can be gathered
entropy can't be generated but has to be gathered from background noise
a system just idle without much going one has only very limited source of entropy and needs long time to gather enough to provide good randomness for crypto - when it suddenly gets an inrush of high entropy demand it can run out - and the default is to not provide any entroppy than bad entropy
how is entropy used:
the kernel provides /dev/random and /dev/urandom
urandom comes from a pseudo-rng and hence is always available - but as it's deterministic because it's just math it's not well suited for cryptography
this is where random comes into play: it's fed by random actions like noise of harddrive activity or user mouse input - these sources are said to be "unpredictable enough" so that deriving crypto secrets from them should be "unique enough within its time domain" to be secure against known attacks
now imagine a system that just sits there idle all day nothin going on and due to no runnibg services there's pretty much nothin more happening as the time ticking along - such system can gather only very few true random entropy like a random ARP ping from the router or a hdd seeking the head every once in a while and generatic some random communication with the controller
I noticed this behaviour when I once wrote some crypto code and used /dev/random all over it quickly depleting the systems entropy so much I sometimes struggled to establish a new ssh connection and most https requests just timed out
it took days until I learned to use random only for the initial seed but otherwise rely on strong pseudo-rng re-seeded every X bits
so it might be something similar in your situation: one side may struggle with entropy and has to wait until enough was gathered to continue crypto
Offline
Pages: 1