Thanks Dewitt for very thorough and insightful explanation. We are using Yocto packaged linux version with openssl version being OpenSSL 1.1.1k-fips 25 Mar 2021.
With Regards, Venkatesh On Fri, Sep 24, 2021 at 12:11 AM Otis Dewitt - NOAA Affiliate <otis.dew...@noaa.gov.invalid> wrote: > No problem Venkatesh. > > No, I don't know how to generate entropy in Apache because I think Apache > uses the system entropy. > You can check how many are available via: "cat > /proc/sys/kernel/random/entropy_avail". > > Under the system I know of two different packages, one *rngd *and the > other *haveged.* > > The *rngd* daemon, which is a part of the rng-tools package, is capable > of using both environmental noise and hardware random number generators for > extracting entropy. The daemon checks whether the data supplied by the > source of randomness is sufficiently random and then stores it in the > kernel's random-number entropy pool. The random numbers it generates are > made available through the /dev/random and /dev/urandom character devices. > > The *haveged *project is an attempt to provide an easy-to-use, > unpredictable random number generator based upon an adaptation of the > HAVEGE <http://www.irisa.fr/caps/projects/hipsor/> algorithm. Haveged was > created to remedy low-entropy conditions in the Linux random device that > can occur under some workloads, especially on headless servers. Current > development of haveged is directed towards improving overall reliability > and adaptability while minimizing the barriers to using haveged for other > tasks. > > What OS are you using? Redhat CentOS etc . . . > > > On Thu, Sep 23, 2021 at 2:06 PM alchemist vk <alchemist...@gmail.com> > wrote: > >> Thanks Dewitt for your inputs. >> Will check from system perspective how to generate more entropy and >> resolve this issue. >> >> Do you know, how to generate more entropy in system or via apache so that >> it can never be deprived of entropy? >> >> With Regards, >> Venkatesh >> >> On Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate >> <otis.dew...@noaa.gov.invalid> wrote: >> >>> Hmm I see, I not sure why you did not get this right away when switching >>> from openssl to openssl-fips because FIPS require a lot of entropy >>> and if this is on VMWARE, that has very poor entropy unless you use >>> entropy generator like "*haveged*" or load *virtio_rng *kernel module. >>> As I said before I am not sure how you will fix this without generating >>> more entropy, it seems the system is unable to create enough and >>> there is no way around this. >>> >>> >>> On Thu, Sep 23, 2021 at 1:15 AM alchemist vk <alchemist...@gmail.com> >>> wrote: >>> >>>> Thanks *Jon *for openssl command confirmation. >>>> *@ylavik*, >>>> Its linux OS and openssl version is 1.1.1k-fips. I not yet >>>> explored with SSLRandomSeed changes. >>>> Yes, we upgraded openssl few months back to 1.1.1k, but we are >>>> seeing this httpd hangs issue from last month. >>>> >>>> *@otis Dewitt*, Since its production code in systems, I cant install >>>> haveged and try it out. >>>> >>>> >>>> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate >>>> <otis.dew...@noaa.gov.invalid> wrote: >>>> >>>>> >>>>> I don't think "insufficient entropy" has anything to do with Apache, >>>>> but you could try installing "haveged" rpm. >>>>> That may solve your problem. >>>>> >>>>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk <alchemist...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> We are using httpd version 2.4.46 and its working fine for a long >>>>>> time. But recently, we started seeing an issue where apache hangs >>>>>> indefinitely even when the system is in idle state. >>>>>> And when apache hangs, I see below entries in error_log: >>>>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid >>>>>> 2644435888] AH01990: Server: PRNG still contains insufficient entropy! >>>>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid >>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid >>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>> ... >>>>>> .... >>>>>> .... >>>>>> >>>>>> I am pretty sure, we not changed anything related to httpd config for >>>>>> quite a time time and have no idea, why this issue started getting >>>>>> manifested now. >>>>>> Please help me how to RC this and what logs can be looked to debug >>>>>> further? >>>>>> >>>>>> PS: Occurence of issue is more in systems where FIPS is enabled. In >>>>>> FIPS disabled systems, occurrence is less. >>>>>> >>>>>> With Regards >>>>>> Venkat >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>