Re: startssl at boot time

[RYAN vAN GINNEKEN]

THANKS but i already have that line in my rc.conf file and the log 
entries that i have submitted to this list are not from a reboot but 
rather apachectl stop and start or startssl.  So when i run a startssl i 
get the randomness i need however when i just use apachectl start which 
is 99.9% the same command it does not.  honestly i am stumped hope you 
have some more wisdom to share.  There is also the line about ssl cache 
i have do some googleing but have not been able to come up with anything 
that helps.

Matthew Seaman wrote:

On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:

 

Seems to initialize ssl but my ssl page still does not work however my
regular page does work.  Here is a print out of the log file when i do
an apachectl stop and apachectl startssl.  when i use startssl
everything work great including my ssl page.
   

 

[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
[hint: SSLSess
   

The fact that you can do an apachectl startssl and have everything
work as desired means that you're 99.99% of the way to gettting it all
to work.  The modification to the apache2.sh script I sent you last
time sould force that script to always run 'apachectl startssl'
itself, so that shouldn't be the problem.
Hmmm... I think that perhaps the problem arises from when the
apache2.sh script is run.  I'm guessing that the 'Seeding PRNG' line
is significant -- it aparently means that there is no random data yet
available from /dev/random at the point when apache is started up in
the boot sequence.  As you're running 4.9, that can be cured by
telling the system to use some appropriate IRQs as sources of
randomness.  First run:
   % vmstat -i

and look for the IRQs where there are a lot of interrupts generated.
Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
regular intervals, which is worse than useless as a source of
randomness.  I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
the keyboard), irq11 (mux -- multiplex: but this is network activity
mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
work well for me, but you will have to choose 2 or 3 or 4 suitable
IRQs on your own system to harvest for randomness.
Then add them to /etc/rc.conf

   rand_irqs="1 11 12 15"

Then reboot.  (See rndcontrol(8) for more details)

With luck, and a following wind, there will be sufficient system
activity during startup that there will be sufficient random data
available to prime the PRNG used by OpenSSL, which should let apache
start up automatically.
	Cheers,

	Matthew

 

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"