On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski <j...@jagunet.com> wrote: > Another alternative would be to have the nonce also possibly > set at config-time and, if unset, then use the uuid. That way > it could also be used as a sort of shared-secret ;) > > ProxySet nonce="applepie!" > > Longer term, I think that's a more "strategic" solution.
What? Nonces are one-time use only, by definition. Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) > On Aug 31, 2012, at 2:14 PM, Stefan Fritsch <s...@sfritsch.de> wrote: > >> On Friday 31 August 2012, Eric Covener wrote: >>> I'm fighting a problem on new releases of AIX where in some >>> environments, /dev/random seems to run out of entropy way too >>> quick. >>> >>> I'd like a way to suppress the apr_uuid_get-> >>> apr_generate_random_bytes() in mod_proxy_balancer used for the >>> balancer-manager nonce in affected environments. >>> >>> I was thinking a global "BalancerManager off" could be used for >>> this and would also have the upside of fixing the SetHandler >>> htaccess problem. >>> >>> Alternatives would be to find a weaker source for the nonce, or >>> allow tto opt out / use a hard-coded one. >>> >>> Any suggestions? >> >> For 2.4, you could use ap_random_insecure_bytes(). It should be good >> enough for a nonce. >> >> If you add a "BalancerManager off", it should be per directory, or at >> least per vhost. Otherwise it would not help that much with the >> SetHandler htaccess problem. >> >
