#49387 pbkdf2 time cap and limit may be too aggresive
Closed: fixed 2 years ago Opened 2 years ago by firstyear.

Issue Description

An admin noticed that their machine had a 70% cpu increase with pbkdf2 binds. This is likely related to the time cap being too large, and the minimal threshold being too high especially given the nss impl bug.

We should consider lowering the time amount and minimal cap to help ease people into this scheme. Today, even pbkdf2 at 1024 rounds is better than what we have today in ssha512.


Metadata Update from @firstyear:
- Issue assigned to firstyear

2 years ago

Do I dare suggest making it configurable? I do :-p just a suggestion, not a hard request.

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

2 years ago

I knew someone would say it ;)

I still want to avoid configuration of this, I think we should be able to get it "right" because most people won't touch it - they'll set and forget, and they'll never make it better again,

I think the issue is we just need to be more conservative instead while the issue in NSS exists.

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: None)

2 years ago

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to ack (was: review)

2 years ago

commit ee25b88
To ssh://git@pagure.io/389-ds-base.git
805e8f4..ee25b88 master -> master

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

@firstyear - should this also go into 1.3.7?

Login to comment on this ticket.

Metadata