On Sat, Sep 1, 2012 at 8:13 PM, Jim Jagielski <j...@jagunet.com> wrote: > > On Sep 1, 2012, at 12:39 PM, Ben Laurie <b...@links.org> wrote: > >> On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski <j...@jagunet.com> wrote: >>> Another alternative would be to have the nonce also possibly >>> set at config-time and, if unset, then use the uuid. That way >>> it could also be used as a sort of shared-secret ;) >>> >>> ProxySet nonce="applepie!" >>> >>> Longer term, I think that's a more "strategic" solution. >> >> What? Nonces are one-time use only, by definition. >> > > Then we change the name from "nonce" to something else... Preventing > or arguing against a solid, reliable fix and enhancement because > it's called something is pretty bogus.
Sure, if its not a nonce, fine by me. Is it not a nonce? What is its purpose? > Or the other thing, other than renaming it, is to not be so > pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;) Whatever. The core problem is that /dev/random blocks, and we've already seen that working around this leads to problems. > >> Better, IMO, would be to either use insecure random, or, better still, >> seed a PRNG from secure random once and use that from then on (for all >> randomness). >> >> Or switch to FreeBSD where /dev/random does not block :-) >> >>> On Aug 31, 2012, at 2:14 PM, Stefan Fritsch <s...@sfritsch.de> wrote: >>> >>>> On Friday 31 August 2012, Eric Covener wrote: >>>>> I'm fighting a problem on new releases of AIX where in some >>>>> environments, /dev/random seems to run out of entropy way too >>>>> quick. >>>>> >>>>> I'd like a way to suppress the apr_uuid_get-> >>>>> apr_generate_random_bytes() in mod_proxy_balancer used for the >>>>> balancer-manager nonce in affected environments. >>>>> >>>>> I was thinking a global "BalancerManager off" could be used for >>>>> this and would also have the upside of fixing the SetHandler >>>>> htaccess problem. >>>>> >>>>> Alternatives would be to find a weaker source for the nonce, or >>>>> allow tto opt out / use a hard-coded one. >>>>> >>>>> Any suggestions? >>>> >>>> For 2.4, you could use ap_random_insecure_bytes(). It should be good >>>> enough for a nonce. >>>> >>>> If you add a "BalancerManager off", it should be per directory, or at >>>> least per vhost. Otherwise it would not help that much with the >>>> SetHandler htaccess problem. >>>> >>> >> >
