Re: startssl at boot time

Wed, 07 Apr 2004 15:29:55 -0700 

On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:

> Seems to initialize ssl but my ssl page still does not work however my
> regular page does work.  Here is a print out of the log file when i do
> an apachectl stop and apachectl startssl.  when i use startssl
> everything work great including my ssl page.

> [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
> [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
> [hint: SSLSess

The fact that you can do an apachectl startssl and have everything
work as desired means that you're 99.99% of the way to gettting it all
to work.  The modification to the apache2.sh script I sent you last
time sould force that script to always run 'apachectl startssl'
itself, so that shouldn't be the problem.

Hmmm... I think that perhaps the problem arises from when the
apache2.sh script is run.  I'm guessing that the 'Seeding PRNG' line
is significant -- it aparently means that there is no random data yet
available from /dev/random at the point when apache is started up in
the boot sequence.  As you're running 4.9, that can be cured by
telling the system to use some appropriate IRQs as sources of
randomness.  First run:

    % vmstat -i

and look for the IRQs where there are a lot of interrupts generated.
Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
regular intervals, which is worse than useless as a source of
randomness.  I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
the keyboard), irq11 (mux -- multiplex: but this is network activity
mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
work well for me, but you will have to choose 2 or 3 or 4 suitable
IRQs on your own system to harvest for randomness.

Then add them to /etc/rc.conf

    rand_irqs="1 11 12 15"

Then reboot.  (See rndcontrol(8) for more details)

With luck, and a following wind, there will be sufficient system
activity during startup that there will be sufficient random data
available to prime the PRNG used by OpenSSL, which should let apache
start up automatically.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to