Thanks Dewitt for the links. These are very useful. Will check with our kernel team on the instructions/points made in the given links and will try to find a workaround to resove httpd hanging. Thanks a lot for your help.
With Regards, Venkatesh On Fri, Sep 24, 2021 at 9:57 PM Otis Dewitt - NOAA Affiliate <otis.dew...@noaa.gov.invalid> wrote: > I did not find many but here are some notes for Yocto. > > 1.) > http://ch.ege.io/blog/2015/05/04/using-h-slash-w-randaom-generator-on-odrod-c1-with-yocto/ > 2.) https://wiki.yoctoproject.org/wiki/Entropy_on_Autobuilders > > Thanks, > Otis > > On Fri, Sep 24, 2021 at 9:14 AM alchemist vk <alchemist...@gmail.com> > wrote: > >> Thanks Dewitt for very thorough and insightful explanation. We are using >> Yocto packaged linux version with openssl version being OpenSSL 1.1.1k-fips >> 25 Mar 2021. >> >> With Regards, >> Venkatesh >> >> On Fri, Sep 24, 2021 at 12:11 AM Otis Dewitt - NOAA Affiliate >> <otis.dew...@noaa.gov.invalid> wrote: >> >>> No problem Venkatesh. >>> >>> No, I don't know how to generate entropy in Apache because I think >>> Apache uses the system entropy. >>> You can check how many are available via: "cat >>> /proc/sys/kernel/random/entropy_avail". >>> >>> Under the system I know of two different packages, one *rngd *and the >>> other *haveged.* >>> >>> The *rngd* daemon, which is a part of the rng-tools package, is capable >>> of using both environmental noise and hardware random number generators for >>> extracting entropy. The daemon checks whether the data supplied by the >>> source of randomness is sufficiently random and then stores it in the >>> kernel's random-number entropy pool. The random numbers it generates are >>> made available through the /dev/random and /dev/urandom character >>> devices. >>> >>> The *haveged *project is an attempt to provide an easy-to-use, >>> unpredictable random number generator based upon an adaptation of the >>> HAVEGE <http://www.irisa.fr/caps/projects/hipsor/> algorithm. Haveged >>> was created to remedy low-entropy conditions in the Linux random device >>> that can occur under some workloads, especially on headless servers. >>> Current development of haveged is directed towards improving overall >>> reliability and adaptability while minimizing the barriers to using haveged >>> for other tasks. >>> >>> What OS are you using? Redhat CentOS etc . . . >>> >>> >>> On Thu, Sep 23, 2021 at 2:06 PM alchemist vk <alchemist...@gmail.com> >>> wrote: >>> >>>> Thanks Dewitt for your inputs. >>>> Will check from system perspective how to generate more entropy and >>>> resolve this issue. >>>> >>>> Do you know, how to generate more entropy in system or via apache so >>>> that it can never be deprived of entropy? >>>> >>>> With Regards, >>>> Venkatesh >>>> >>>> On Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate >>>> <otis.dew...@noaa.gov.invalid> wrote: >>>> >>>>> Hmm I see, I not sure why you did not get this right away when >>>>> switching from openssl to openssl-fips because FIPS require a lot of >>>>> entropy >>>>> and if this is on VMWARE, that has very poor entropy unless you use >>>>> entropy generator like "*haveged*" or load *virtio_rng *kernel module. >>>>> As I said before I am not sure how you will fix this without >>>>> generating more entropy, it seems the system is unable to create enough >>>>> and >>>>> there is no way around this. >>>>> >>>>> >>>>> On Thu, Sep 23, 2021 at 1:15 AM alchemist vk <alchemist...@gmail.com> >>>>> wrote: >>>>> >>>>>> Thanks *Jon *for openssl command confirmation. >>>>>> *@ylavik*, >>>>>> Its linux OS and openssl version is 1.1.1k-fips. I not yet >>>>>> explored with SSLRandomSeed changes. >>>>>> Yes, we upgraded openssl few months back to 1.1.1k, but we are >>>>>> seeing this httpd hangs issue from last month. >>>>>> >>>>>> *@otis Dewitt*, Since its production code in systems, I cant install >>>>>> haveged and try it out. >>>>>> >>>>>> >>>>>> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate >>>>>> <otis.dew...@noaa.gov.invalid> wrote: >>>>>> >>>>>>> >>>>>>> I don't think "insufficient entropy" has anything to do with Apache, >>>>>>> but you could try installing "haveged" rpm. >>>>>>> That may solve your problem. >>>>>>> >>>>>>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk <alchemist...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> We are using httpd version 2.4.46 and its working fine for a long >>>>>>>> time. But recently, we started seeing an issue where apache hangs >>>>>>>> indefinitely even when the system is in idle state. >>>>>>>> And when apache hangs, I see below entries in error_log: >>>>>>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid >>>>>>>> 2644435888] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid >>>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid >>>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>>> ... >>>>>>>> .... >>>>>>>> .... >>>>>>>> >>>>>>>> I am pretty sure, we not changed anything related to httpd config >>>>>>>> for quite a time time and have no idea, why this issue started getting >>>>>>>> manifested now. >>>>>>>> Please help me how to RC this and what logs can be looked to debug >>>>>>>> further? >>>>>>>> >>>>>>>> PS: Occurence of issue is more in systems where FIPS is enabled. In >>>>>>>> FIPS disabled systems, occurrence is less. >>>>>>>> >>>>>>>> With Regards >>>>>>>> Venkat >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>