Created attachment 211188 [details] Patch for files/patch-Makefile.in Building pound takes a long time due to openssl dhaparam being run during the build phase. Suggest speeding this up (for long keys) by using -dsaparam option.
Comment on attachment 211188 [details] Patch for files/patch-Makefile.in Whitespace broken by copy/paste, will upload new patch.
Created attachment 211190 [details] (fixed) Use dhparam -dsaparam and don't specify generator
(In reply to Eirik Oeverby from comment #2) Obvious cryptography weakening just to speed up port building doesn't sound reasonable ... `-dsaparam` stays, according to the manual, for `Read or generate DSA parameters, convert to DH`. So, to use weak DSA is not a good idea as well as switching generator off. Why not use pkg if the speed is the main concern?
(In reply to Zeus Panchenko from comment #3) It's not terribly obvious (in fact it might be outright wrong), and anyone relying on params generated at compile time on the FreeBSD build cluster are not going to care anyway. We build our packages in-house and pound tends to get rebuilt quite often due to other dependencies. See https://security.stackexchange.com/questions/42415/openvpn-dhparam for an excellent discussion about this - usual caveats about trusting stackexchange obviously apply; I'm referring to it because it's easily-digestable information. Basic takeaways: - Not using -dsaparam offers no meaningful security benefit - Using -dsaparam has no appreciable negative side effects (performance is mentioned, but that's mostly theoretical) - Using different primes (dhparam) than the rest of the world is a good thing All I'm asking for is a dramatic reduction in compile time (especially with system defaults of large primes) in exchange for zero reduction in security. :)
Created attachment 211719 [details] OPTION to pass -dsaparam
(In reply to Eirik Oeverby from comment #4) > All I'm asking for is a dramatic reduction in compile time > (especially with system defaults of large primes) in exchange > for zero reduction in security. Would an option (off by default) be sufficient for your needs?
(In reply to Alexey Dokuchaev from comment #6) Thank you very much for your effort! This will do just fine. Given the uselessness of the curret mode of operation, I'd prefer it to default to the "fast" mode - but I suspect that discussion will take until the end of time. :)
A commit references this bug: Author: danfe Date: Tue Feb 18 11:09:59 UTC 2020 New revision: 526452 URL: https://svnweb.freebsd.org/changeset/ports/526452 Log: Allow to cut the package build times by generating DH parameters without using "safe" primes. PR: 243724 Submitted by: Eirik Oeverby Approved by: maintainer Changes: head/www/pound/Makefile
Committed as ports r526452.