I did not find many but here are some notes for Yocto. 1.) http://ch.ege.io/blog/2015/05/04/using-h-slash-w-randaom-generator-on-odrod-c1-with-yocto/ 2.) https://wiki.yoctoproject.org/wiki/Entropy_on_Autobuilders
Thanks, Otis On Fri, Sep 24, 2021 at 9:14 AM alchemist vk <alchemist...@gmail.com> wrote: > Thanks Dewitt for very thorough and insightful explanation. We are using > Yocto packaged linux version with openssl version being OpenSSL 1.1.1k-fips > 25 Mar 2021. > > With Regards, > Venkatesh > > On Fri, Sep 24, 2021 at 12:11 AM Otis Dewitt - NOAA Affiliate > <otis.dew...@noaa.gov.invalid> wrote: > >> No problem Venkatesh. >> >> No, I don't know how to generate entropy in Apache because I think Apache >> uses the system entropy. >> You can check how many are available via: "cat >> /proc/sys/kernel/random/entropy_avail". >> >> Under the system I know of two different packages, one *rngd *and the >> other *haveged.* >> >> The *rngd* daemon, which is a part of the rng-tools package, is capable >> of using both environmental noise and hardware random number generators for >> extracting entropy. The daemon checks whether the data supplied by the >> source of randomness is sufficiently random and then stores it in the >> kernel's random-number entropy pool. The random numbers it generates are >> made available through the /dev/random and /dev/urandom character >> devices. >> >> The *haveged *project is an attempt to provide an easy-to-use, >> unpredictable random number generator based upon an adaptation of the >> HAVEGE <http://www.irisa.fr/caps/projects/hipsor/> algorithm. Haveged >> was created to remedy low-entropy conditions in the Linux random device >> that can occur under some workloads, especially on headless servers. >> Current development of haveged is directed towards improving overall >> reliability and adaptability while minimizing the barriers to using haveged >> for other tasks. >> >> What OS are you using? Redhat CentOS etc . . . >> >> >> On Thu, Sep 23, 2021 at 2:06 PM alchemist vk <alchemist...@gmail.com> >> wrote: >> >>> Thanks Dewitt for your inputs. >>> Will check from system perspective how to generate more entropy and >>> resolve this issue. >>> >>> Do you know, how to generate more entropy in system or via apache so >>> that it can never be deprived of entropy? >>> >>> With Regards, >>> Venkatesh >>> >>> On Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate >>> <otis.dew...@noaa.gov.invalid> wrote: >>> >>>> Hmm I see, I not sure why you did not get this right away when >>>> switching from openssl to openssl-fips because FIPS require a lot of >>>> entropy >>>> and if this is on VMWARE, that has very poor entropy unless you use >>>> entropy generator like "*haveged*" or load *virtio_rng *kernel module. >>>> As I said before I am not sure how you will fix this without generating >>>> more entropy, it seems the system is unable to create enough and >>>> there is no way around this. >>>> >>>> >>>> On Thu, Sep 23, 2021 at 1:15 AM alchemist vk <alchemist...@gmail.com> >>>> wrote: >>>> >>>>> Thanks *Jon *for openssl command confirmation. >>>>> *@ylavik*, >>>>> Its linux OS and openssl version is 1.1.1k-fips. I not yet >>>>> explored with SSLRandomSeed changes. >>>>> Yes, we upgraded openssl few months back to 1.1.1k, but we are >>>>> seeing this httpd hangs issue from last month. >>>>> >>>>> *@otis Dewitt*, Since its production code in systems, I cant install >>>>> haveged and try it out. >>>>> >>>>> >>>>> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate >>>>> <otis.dew...@noaa.gov.invalid> wrote: >>>>> >>>>>> >>>>>> I don't think "insufficient entropy" has anything to do with Apache, >>>>>> but you could try installing "haveged" rpm. >>>>>> That may solve your problem. >>>>>> >>>>>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk <alchemist...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> We are using httpd version 2.4.46 and its working fine for a long >>>>>>> time. But recently, we started seeing an issue where apache hangs >>>>>>> indefinitely even when the system is in idle state. >>>>>>> And when apache hangs, I see below entries in error_log: >>>>>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid >>>>>>> 2644435888] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid >>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid >>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy! >>>>>>> ... >>>>>>> .... >>>>>>> .... >>>>>>> >>>>>>> I am pretty sure, we not changed anything related to httpd config >>>>>>> for quite a time time and have no idea, why this issue started getting >>>>>>> manifested now. >>>>>>> Please help me how to RC this and what logs can be looked to debug >>>>>>> further? >>>>>>> >>>>>>> PS: Occurence of issue is more in systems where FIPS is enabled. In >>>>>>> FIPS disabled systems, occurrence is less. >>>>>>> >>>>>>> With Regards >>>>>>> Venkat >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>