Long connect times...
I'm clearly a stupid fsck, but perhaps this tip will help other stupid fscks out there running Apache and modssl on Linux. I was having trouble with long (really long, sometimes) connect times on SSL connections. Sometimes things would go through immediately, or within a second or two, but often it would be 20 seconds before data started coming back. Well, I'd configured SSL to use the high-quality random data from /dev/random (Linux gurus can stop reading here -- I've just told you what I did wrong) but that device won't give you any more data than it has collected entropy. That is, /dev/random maintains a pool of randomness that is fed by external, presumably unpredictable, events. When the pool runs dry, you have to wait for some random stuff to happen before you'll get the data you tried to read. So Apache was reading from this limited resource, and sometimes (if I was moving the mouse, or typing, or had a lot of disk activity happening) there'd be enough random data to generate a key or whatever modssl needed, but other times it had to wait until "things" happened. Tough to debug if you're thinking it's maybe network problems or something, but a quick strace will show what's really happening. Anyway, the solution is to use /dev/urandom, which never runs dry, as your source for the SSLRandomSeed lines. d. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Long connect times...
=>From: "Ralf S. Engelschall" <[EMAIL PROTECTED]> =>... =>Yes, and details about this situation and problem are in the mod_ssl =>documentation since a long time - directly under the entry for => SSLRandomSeed. =>But people often like it more to waste time instead of reading documentation =>first... ;) I've now also added an FAQ entry about this topic to increase the =>chance people find the answer. Thanks for your hint. FAQ is good; perhaps also a mention in the comments of the default config file. (That's how I got in trouble: I was just going through the file and tweaking stuff.) Regards, d. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Generating Entropy [was OT: Long connect times...]
=>From: Steve Freitas <[EMAIL PROTECTED]> =>... =>is there a way to generate entropy to prevent random =>from blocking? Depends on how badly you want it. SGI has a http://lavarand.sgi.com">neat solution. They use Lava Lite(r) lamps and a video digitizer to generate gobs of entropy. On a more human scale, you can probably use a video camera looking at just about anything, as long as it moves a little. (How about FishRand?) I've also seen occasional discussions about using a sound card to digitize noise, but I can't remember whether the Hard Crypto guys think that's a good idea or not. I suspect there's not *that* much entropy in what you get from a sound card. I don't know how hard it'd be to feed that entropy into /dev/random, though. For web server use (bringing this back on-topic) you probably want to use /dev/urandom, because otherwise local users can do a denial-of-service by saying: "dd if=/dev/random of=/dev/null &" d. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Strange delays
=>From: Oscar Abrahamsson <[EMAIL PROTECTED]> =>... =>I have a problem with my apache/mod_ssl-webserver: =>- sometimes when accessing a page I get a reponse time of a few minutes. The =>moment before and after everything is normal. Check the "SSLRandomSeed" entries in your configuration file. Apparently, it's a common problem that the random source used by the SSL libraries for key material tends to run dry, so connections hang until more entropy is generated somehow so that key generation can continue. I don't know what happens on Solaris, but on Linux, if you use "/dev/random" instead of "/dev/urandom," you're likely to see this. d. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]